Set up 2FA (Two Factor Authentication) for PayPal with Google Authenticator (or other TOTP client)

Update 2019–04–19

PayPal has finally got with the times and now supports normal 2FA, no more tricks required! Check out https://benbrian.net/authenticator-app-support-in-paypal-finally/ for how to set it up. I highly recommend doing it that way instead of my old way here. I can confirm it even works with the mobile apps.

If you need a new service to hate on for messing up 2FA, how about Sentry?

Original Article (avoid!)

You’d be forgiven for thinking PayPal didn’t support 2FA, let alone TOTP, as they make it difficult to find and set up.

First, log in to PayPal normally. Then, go to https://www.paypal.com/webscr?cmd=_setup-security-key to set up a new “security key”:

Select the second option (the one which isn’t SMS), and you’ll be asked for three pieces of information:

Now’s where it gets interesting. PayPal nominally only supports some dumb proprietary system from Symantec, but it turns out it’s just TOTP with a custom provisioning algorithm, which has been reverse engineered and made into a helpful open source tool which we can use: https://github.com/dlenski/python-vipaccess.

Step 1: Online Method

I’ve made a simple page to automate the process for you, which you can find at https://jakebarn.es/paypal. Just enter what you want and it’ll give you all the information you need. Enter the Serial Number into the form on PayPal and import the key into your TOTP app, either using the link or by scanning the QR code.

Step 1: Manual Method

There’s no distro provided packages as far as I can tell (even on the AUR!), so we’ll install it manually, which isn’t very hard. First install pip, a python package manager, usually available as python-pip in your system package manager (note: on distros still using Python 2 by default (such as Ubuntu), you want python3-pip and the command pip3). Then you can install it by running sudo pip install python-vipaccess. It should take a couple minutes to download and build all the depencencies.

You can now generate your “security key” by simply running vipaccess provision -p -t VSMT. This will print out all the information needed, including the otpauth://... URL and ID. The ID looks like VSMT12345678 and is what goes in the first field back on PayPal’s form.

Next we just need to import it into our TOTP app, such as Google Authenticator. The easiest way to do this is of course with a QR code, so we need to turn that otpauth://... URL into one. There’s probably websites to do it but I used qrencode which is a command line tool. You can edit the VIP%20Access:VSMT12345678 and issuer=Symantec parts of the URL to control the label shown in the app but I didn’t bother.

Step 2: PayPal

Now all that’s left is to put two consecutive codes generated by your app into the other two fields back on PayPal’s form, click “Activate”, and you’re done! You can now select this new security key when signing in from now on and use the code generated by your app. No more insecure SMSes!*

*Several people have mentioned the PayPal mobile apps still only work with SMS security codes unfortunately.