I’ve been using 2FA on PayPal since 2007, when they introduced the feature with a modestly priced physical token. I later switched to a free soft token, specifically the Symantec VIP app, which I wrote about back in 2013. But it’s March December 2020 and it’s time to take another look at the state of 2FA on PayPal.
Unsurprisingly, the instructions I wrote in 2013 to set up the Symantec VIP app on PayPal no longer work… or do they? On the current PayPal website, someone who navigates to Settings, Security, 2-step verification, and clicks Add a device, will only have the choice to set up a TOTP app such as Google Authenticator or Authy. This is a feature PayPal apparently added in 2019.
However, with some quick Googling I found a link to the Activate your PayPal security key page from my previous article, and it still works (and looks) like it did in the past! This raises the question, why bother with this? In the past several years, many websites have implemented 2FA using TOTP apps, so I think most people are probably better off using it instead of Symantec VIP. One interesting option is if someone wanted to use a physical token, they could buy a Symantec Authenticator, which is still available on Amazon, and apparently stills work on PayPal. For most people, though, TOTP is the right in 2020.
Update (2021 May 10): I received an email recently from PayPal explaining that they are dropping support for Symantec VIP on June 25. It recommends switching to a TOTP app or SMS, and includes instructions to do so.