A decade ago eBay gave users the option of two factor authentication using the PayPal security key to generate a one time password each time you log into the site. The idea is that unless someone knows the unique algorithm for your security key they can’t access your account even if they know your eBay password and user name.
Two factor authentication relies on something you have and something you know – physically you have your PayPal security key and you know your pin or password.
Take up has been relatively low in the grand scheme of things, plus if you don’t have your PayPal security key with you when you want to log in you would have to bypass it anyway.
Now eBay are informing users of a new way to log in securely, still using two factor authentication, but using yoru smartphone. They say “We’ve made 2-step verification more convenient and will text you a PIN instead of you using your token. All you need is a mobile device. If you use our app, you’ll need the latest version of that too“.
This makes a lot of sense, you’re much more likely to have your mobile with you than your PayPal security key. It’s one less thing to carry around, plus of course PayPal is no longer an eBay company (although the keys aren’t unique to PayPal and you could in theory use a third party’s key anyway).
More convenient, less to carry around, if you currently use the PayPal security key consider switching to your mobile device today.
8 Responses
Do you have a link to activate this option?
That linked worked.
This is an interesting approaching to signing up for the service in that, having once used that link, it implies that this is now the default access method for my account. A very low friction approach to improving online security.
I also got the invitation by mail from “eBay” but initially wondered whether this was a fake / phishing mail because there already is no need to carry anything else if you have your mobile phone with you. The “Symantec VIP Access” app on my phone works just like the PayPal security key to enable 2FA.
Terrible decision. You don’t need a physical token, you can use a soft token (Verisign VIP) on your mobile device, which I’ve been using for years. Further, SMS based two factor authentication is inherently less secure since SMS can easily be intercepted by various strains of mobile malware or SIM based attacks. Just last year NIST stated that the use of SMS for two factor authentication was being deprecated and no longer allowed in future releases of its digital authentication guidance.
It would be good if they’d allow multiple phone numbers. Paypal allows us to have 3 (and probably more), it lets us select which phone to send the verification pin to when we login.
Anyone know if its possible on Ebay?
Just to update I have now turned it off. Ability to only use one number is a joke, we have multiple members of staff using the same account for various things, for paypal we can have multiple phone numbers and this works fine.
Also it will sometimes tell you the code is incorrect despite it being correct. It feels like a rushed attempt to implent 2FA