[oefrha]

> So I have a complex password and TOPT to protect my account. Forget these, because PayPal’s default method of login is now a one-time code sent via SMS. Yes, the very same medium that is generally considered unsafe for two-factor authentication is used by PayPal as the only factor; bypassing both password and TOPT for what appears to be full access to your account. You cannot disable this method of login, and you cannot remove your phone number from your account.

> Tested in Incognito – as soon as you enter an email address to log into PayPal, an SMS is immediately sent and the phone number is revealed.

Just tested, can't reproduce. I get the standard email => password => TOTP flow. Also happened to have logged in yesterday on a new device, so pretty sure nothing changed between the blog post and now, at least not for me.

Maybe it's something being rolled out to more customers at the moment.

[levymetal]

OP here - I just tried again and got the normal flow this time. Guessing they must be A/B testing SMS one-time codes as the default.

[byhemechi]

i've had it like that for months now, maybe it's a geographical thing, for some reason a lot of this stuff comes early to australia?

[2arrs2ells]

FB engineer explained they always rolled features out to New Zealand first - similar user behavior as the US but outside the eye of the tech press & smaller market (so less risk).

[disgruntledphd2]

They actually split Ireland and AU/NZ more recently.

[richardfey]

AFAIK with 2FA enabled you'll get SMS prompts only exceptionally.

[Abimelex]

2FA enabled in Germany I get the SMS prompt always. Still I would wish to have support for a proper Authenticator App here.

[bubblethink]

>Just tested, can't reproduce.

I have seen this for weeks/months now. It happens when you are about to make a purchase. So for instance, if you click on pay with paypal on a different website, it shows up, presumably to reduce friction or improve clickthrough.

[spiffytech]

I've been getting this off and on for a while now. It never proactively sent me the SMS, but it yanks me out of the normal auth flow and asks if I want to authenticate by text, making me click a button to just use my password + 2FA.

[CrimsonRain]

Can't send sms if there's no phone number to begin with (I never added). Accidentally big brain time