Set up 2FA app for PayPal

by Anton Semjonov

Table of Contents

tl;dr: the option to add TOTP security keys on PayPal is somewhat hidden, it uses Verisign Identity Protection provisioning

It is becoming common knowledge that you should use two-factor authentication whenever possible. Some services allow the use of TOTP apps on your smartphone, some only want so send you SMS codes .. and others use proprietary tokens.

I had activated SMS codes with PayPal for a while now but I always had the urge to centralize all my 2FA codes in my FreeOTP app. Sites like GitHub, Backblaze and Dropbox all easily support this. However, PayPal always appeared to only support SMS codes. Then I stumbled upon this blog post saying otherwise. I’ll summarize the necessary steps below.

Preparations

Install python-vipaccess

Apparently the VIP Access tokens are based on the open TOTP standard, which is supported by most authenticator apps. Based on this reverse-engineering effort, @cyrozap and @dlenski built a handy little python script which allows us to provision new tokens: https://github.com/dlenski/python-vipaccess

Installing it directly via pip failed for me but installing the dependencies seperately and then installing the script from a cloned repository worked fine:

$ cd $(mktemp -d)
$ sudo pip install lxml oath pycryptodome requests
$ git clone https://github.com/dlenski/python-vipaccess .
$ sudo pip install .

Note: Make sure to use Python 3’s pip, called python3-pip or pip3 in some distributions.

Provision a new token

This should have installed the vipaccess command on your system. Now run vipaccess provision -p -t VSMT to provision a new ‘mobile token’. If you get an Something went wrong--the token is invalid. error, check your installation of python-cryptodome. Otherwise you should see output like this:

$ vipaccess provision -p -t VSMT
Generating request...
Fetching provisioning response...
Getting token from response...
Decrypting token...
Checking token...
Credential created successfully:
	otpauth://totp/VIP%20Access:VSMT89594652?secret=GAHXEUAHO6KE63TUJGVHS53VVKHACPVN&digits=6&period=30&algorithm=sha1&issuer=Symantec
This credential expires on this date: 2021-03-02T14:46:00.744Z

You will need the ID to register this credential: VSMT89594652

You can use oathtool to generate the same OTP codes
as would be produced by the official VIP Access apps:

    oathtool -d6 -b --totp    GAHXEUAHO6KE63TUJGVHS53VVKHACPVN  # 6-digit code
    oathtool -d6 -b --totp -v GAHXEUAHO6KE63TUJGVHS53VVKHACPVN  # ... with extra information

(This is a new and unused token.)

Save in your 2FA app

This step depends on what kind of application you use. You don’t necessarily have to use a smartphone app of course. Usually, you’ll want to display a QR code to scan with your app, though. I use qrencode for this.

To modify the title of your entry, you can edit the string starting with otpauth://.... So instead of

otpauth://totp/VIP%20Access:VSMT89594652?secret=...

you could use

otpauth://totp/PayPal:VSMT89594652?secret=....

The string needs to be urlencoded though, so e.g. use %20 instead of spaces. Then display a QR code in your terminal with qrencode and scan it with your app:

Note that using an online tool to create this QR code might not be the wisest idea. Please don’t use this example either.

Set up security key

To set up this token as a new security key in PayPal, log in and navigate to https://www.paypal.com/webscr?cmd=_setup-security-key. You’ll be given two options. Select the ‘Security Key’ option.

In order to activate your token you are asked for a serial number and two 6-digit codes.

The serial number is the VSMT... string from your provisioning: VSMT89594652 in the example above. And the 6-digit codes are two consecutive codes generated by your authenticator app.

Depending on your application you might need to tap the PayPal entry you just created and enter the code you see for the first 6-digit code. Then simply wait a few seconds until the next code appears or tap again after a few seconds to display the immediate next code and enter that in the last field.

Click Activate on the bottom of the page and ta-da!

As a last step you can now remove or deactivate your SMS security key and simply use your 2FA app from now on. If you also use a strong password your security questions are probably your weakest link after this …