I got an email from PayPal suggesting that I upgrade to using an authenticator app for my two-factor authentication on login. It will apparently keep my account more secure. How do I sign up for this better account security solution?
Online security has had to keep evolving to keep a step ahead of the hackers and bad guys who want to break into our accounts and steal our money or take nefarious actions. For some accounts, it’s not a big deal if you’re hacked (your free joke-a-day email newsletter subscription isn’t really a big risk) but for other sites, it can be quite problematic. Foremost among the risky sites are online banks and online banking. Even if you have a small balance, a criminal gaining access to your account is going to be a huge problem.
As a result, every online banking institution has long since encouraged people to move from simple passwords to complex ones, and to enable two-factor authentication or 2FA. The former helps make it more difficult for bad actors to guess their way into your account, and the latter means you need two forms of proof that you’re really you to access your account. One is your password and the other is typically your mobile phone.
If you haven’t yet updated your PayPal account to include 2 factor authentication, well, that’s overdue. But as the company is now telling people, authenticator apps are often even more secure than just regular telephone text messaging and texted security codes. One reason is that text codes often last up to five minutes, while authenticator apps are changing the code every 30 seconds. But there’s a subtler problem; many computers can now be configured to show you all of your text messages, so someone accessing your laptop (esp. if they can gain access to your password archive tool) will also see the confirmation code text messages too!
I’ve been with PayPal for many years now (even back to when they were the original x.com) and have long since set up 2FA. I also received one of those email messages from PayPal too, as it happens, so let’s start there…
DON’T CLICK ON EMAIL LINKS!
Here’s what PayPal sent me:
There’s a link in the email to let you easily sign into your PayPal account, but it’s hard to understand why PayPal would include it: never click on links in email that purport to take you to a financial institution! Fortunately, it’s still an informative message and you can simply type in “paypal.com” to your browser to be safe.
I’ll do just that, using the existing phone-based 2FA I’ve set up to complete my login:
PayPal texts me a six-digit number and a notification for it also appears on my computer screen. Handy, but it does somewhat defeat the purpose.
Once logged in, go to Settings > Security:
It’s 2-step verification you want, but before that, you might as well download an authenticator app on your mobile device. I have Microsoft Authenticator, Google Authenticator, and Authy, and prefer the latter, so that’s the one I’ll use. They’re all available through your phone’s app store.
ADDING A SECOND 2FA TO YOUR PAYPAL ACCOUNT
Once you’re ready, click on “Update” for 2-step verification. Here’s what it shows:
The smart way to add this second authenticator app verification is to set it up as a backup device. That’s easily done by choosing “Add a device“.
Security keys are even more secure but few people use them outside of corporate jobs, so most folk are going to opt for “Use an authenticator app”. On your phone, you’ll want to have already set up and logged into your Authy, Google Authenticator, or Microsoft Authenticator app so it’s ready to go.
Tap on “Set It Up” and you’ll see…
I’ve obfuscated the QR code, but yours should be easily scanned on the phone.
MEANWHILE, IN THE AUTHY APP
At this point, it’s time to pick up your mobile device and tap on the “+” icon to add a new site. You’ll see something very similar to this:
At this point tap on the “Scan QR Code” button and point your phone’s camera at the QR code on your computer screen. After a moment or two, it should scan and decode the information, then give you the chance to specify a logo and account nickname. I’ll opt for simple and straightforward:
Once that’s saved, you can now sit and watch the authentication code change every thirty seconds. This happens in sync with PayPal so every code expires quickly, but the new one’s always valid. Kinda magical.
Since it keeps changing, there’s no security risk with me sharing my current six-digit code here. It’s long since expired as a second factor authentication code for my PayPal account!
BACK ON THE COMPUTER
Once you’ve completed the mobile device steps, you’ll want to enter the current six-digit code to prove it’s all set up properly, at which point PayPal confirms the new setup:
At this point I recommend you click on the “Set as primary” link near the bottom where it says “Authenticator App”. This means that by default the next time you log in to your PayPal account, it’ll expect you to use your Authenticator (Authy) for a valid confirmation code, not text you one. The new display:
All looks good. Congrats, you’re all set up!
LOGGING INTO PAYPAL WITH AN AUTHENTICATOR APP
Log out, then log in again. This time after you’ve entered your password it shows the following:
At this point, pull out your phone, start up Authy, and enter the six digit code that it shows for PayPal. It’s that simple. If you don’t have your phone nearby, you can still actually get a text message security code (which would then show up on your computer if you have it set up that way) by clicking on “Try another way“…
That’s it. Now you have an authenticator app set up as your default extra layer of login security but also know how to revert back to text messaging for 2FA as needed. Stay safe out there!
Pro Tip: I’ve been writing about PayPal since the founding of the popular online financial company. Please do check out my PayPal help area for more tutorials and how-to guides. Thanks!