We’ve been doing a series of posts about setting up two-factor authentication (2FA) on a variety of sites that you may use every day.
Our first post of the series received a comment requesting a walk-through on setting up 2FA for an eBay account.
According to the Two Factor Auth List, eBay does indeed support 2FA (at least on the US version). So, spurred on by this most excellent comment from a faithful Naked Security reader, off I went to research the steps.
Generally, the process for setting up 2FA nowadays is very straightforward. After all, companies that offer 2FA want to make it as easy as possible to entice folks like you and me to use them.
In the case of eBay, I spent over an hour trying to figure out how to enable 2FA on my account. It was mind-bogglingly disjointed and difficult.
I went down the proverbial rabbit hole just to try and find a clear, simple answer. After searching, all I found was:
- A static telephone PIN for my eBay account
- An option to enable 2FA via a key fob that I’d have to purchase
- 2FA for my linked PayPal account
I’ve retraced my steps in the post below for your edification.
Naked Security readers: If you are more eBay-fluent than I and find that I’ve missed an obvious, easier way to set up 2FA for eBay, please let me know and I will be very happy to correct this post.
The unnecessary saga of 2FA in eBay
I brushed the dust off my eBay account, logged in, clicked on “My eBay” and then the “Account” tab.
Hmm. No Security section there, but perhaps “Site Preferences” will help.
No luck. But I noticed a field under “Personal Information” called “Telephone PIN” that seemed promising. The language seemed 2FA-esque.
First, I needed to add a mobile phone to my account, which was straightforward. But then I was asked to set a 6-digit phone PIN, which isn’t what we’re looking for.
I noticed that I wasn’t asked for my PIN upon login either, so it seems this is a confirmation step upon purchase.
While it’s better than nothing, since the PIN doesn’t change this is basically 1FA. Like your password, the PIN is something you know.
The PIN doesn’t offer a second factor of authentication, like something you own – like a cell phone or an Authenticator app that receives or generates a unique code.
To spare you the boring details, I clicked every subsection of the “My Account” area, examined the “Security Center” in the eBay footer and even did the thing I hate most – consulting the “Help” section – but I found nothing even remotely hinting at Security settings.
I resorted to a bit of Googling, and managed to find this page buried within eBay itself about the PayPal Security Key.
The page assures the reader that the Security Key works for both eBay and PayPal, but that it must be initialized separately on each site. Although, it doesn’t say how.
The Overview page reassured me that I could use an app to secure my eBay account, and sent me to a promotional page that also assured me it was specifically for eBay. Great!
With the authenticator app downloaded, I was hopeful that this was the solution I’ve been looking for. But I still couldn’t find a way to link my authenticator to my eBay account.
So I went back to the page I’d discovered earlier, clicked the “Order Security Key” option on the left, and was prompted to log in to my PayPal account.
Upon logging in, PayPal says it will text me a code to my cell phone. So far, so good.
PayPal sent me a code to my cell phone, which I then verified:
And then I was referred to my PayPal account. Did it work? And what happened to my eBay account? No notification that I could find confirming it either way.
Back to the drawing board and to the earlier page.
I now tried “Activate Security Key” instead and was prompted to log back in to my eBay account.
Upon doing so, I was greeted by this screen with the message, “To activate your Security Key for use on your eBay account, follow the steps below. If you wish to activate the Security Key for your PayPal account, you must go to the Paypal activation page.”
That’s a physical key fob, which I don’t have, though they were available for purchase ($30 USD) on the Symantec page.
Undeterred, I still tried inputting the serial number and code from my authenticator app, but it didn’t work.
Since I still couldn’t find a way to link the mobile authenticator app to my account, I’m guessing this means the only 2FA supported by eBay is via the physical key fob that you’d have to purchase.
(I haven’t purchased the key fob, so I can’t verify personally if it works. Given how buried the 2FA page is on the site, it’s possible I found an old page for a feature that’s no longer supported, but I hope this isn’t the case.)
Setting up 2FA on Paypal
I found a post that mentioned 2FA via Paypal, at least for the US version.
While EBay did own Paypal for a few years, they split in 2014.
Still, Paypal is a pretty integral part of eBay, so this seemed like a promising lead. At the very least, if 2FA is enabled for PayPal, it’s an added layer of security at the purchase step.
For PayPal US users, as soon as you log in, click “Profile” under “My Account” and select “My settings.” You’ll see an option for a “Security Key.” Hit “Update” to proceed.
Next, you’ll need to register your mobile phone to your PayPal account if you haven’t already. Do so, and hit “Agree and Register.”
Now PayPal will text you a 6-digit code to your registered mobile device. (I could not find an option here to register for with an authenticator app instead.)
Upon entering the code and hitting “Activate,” PayPal will confirm that you successfully enabled 2FA on your PayPal account.
It just shouldn’t be this hard
I do commend PayPal for offering 2FA. At the very least, a criminal trying to cause mischief by commandeering an eBay account would not be able to make purchases via PayPal without hitting the 2FA wall.
Though if you have a credit card linked to your eBay account, or don’t have a PayPal account at all, PayPal’s 2FA is out of the picture.
That said, hopefully eBay’s key fob 2FA works – if you can find it – but it should never be this difficult to set up 2FA.
I am hoping perhaps the lack of clarity around setting this up is only temporary, and hopefully the team at eBay is working on a better solution – preferably one that leverages a free authenticator app and/or SMS, instead of a purchase-only key fob.
If you are an eBay user who finds this process a bit lacking, I encourage you to send the team at eBay a note about making 2FA adoption easier overall.
Andy
I’m not sure why EBay doesn’t document this, but Symantec has a VIP app for iOS, Android, and Windows Phone. You can use any of those in place of the key fob.
Maria Varmazis
I did download the app and try to get that to work, but found no way to link my VIP app to my eBay account. Did I miss a step somewhere?
Anonymous
I don’t know about eBay, but I do have the app working for PayPal.
I think you just pretend the app is the same as the keyfob, and enter the information on that page.
Anonymous
1) Go to https://scgi.ebay.com/ws/eBayISAPI.dll?ActivateSecurityToken
2) Open your app, you will see your credential ID up top and current security code
3) Entery your credential id in [1] and your security code in [2]
4) Wait until your current security code dissapears and a new one appears
5) Enter your newly generated security code in [3]
Basically you need to enter your credential id, and two last security codes displayed by the app while you filling out the form.
It worked for me.
Anonymous
This worked for me using the Symantec VIP Access Android app.
I just started looking into 2FA for eBay because I’ve gotten locked out of my account a half dozen times in the past week. Ebay keeps telling me they suspected unauthorized access on my account and I have to reset my password. Hoping enabling 2FA puts an end to this.
Anonymous
This works, using VIP Access from Symantec as authenticator. Make sure to enter the “credential ID” without spaces in Ebay’s form (VIP Access displays it with spaces).
Anonymous
Perfect instructions. Worked great! I only wish this was easier for people to find.
Fathomless Bottom
Great instructions, worked for me. I actually have a Canadian eBay account, which is linked to the US site, and the 2FA works when I try to log into either ebay.ca or ebay.com.
Thanks!
Anonymous
Thanks, works on iPhone too with Symantec VIP access app!
Raoul Miller (@RaoulMiller)
That link no longer works (as go 7/2/17)
Julian
An interesting article. It is not just me, then!
It is possible to set up Google Authenticator (or Yubico Authenticator, if you have a Yubikey) as a VIP Key. It requires a bit of work, but there is a Python app which can do all the hard work for you and generate the codes you need. I have been using Yubico Authenticator successfully with Paypal for over a year. I had looked at linking it to Ebay too, but given up, for the same reasons as you.
Maria Varmazis
Very interesting — and I’m glad it’s not just me either. But given that a lot of people use eBay every day, I’m really hoping someone will comment and let me know that I’ve missed a really obvious solution somewhere.
Andy
You would do it the same way as with a hard token, enter the Token ID (which is displayed in the App) and then validate a code or two. It’s been years since I’ve done it (they’ve had the token support for a long time) but it worked.
jay87bea
It is not just me, then!
It is possible to use Google Authenticator (or Yubico Authenticator if you have a Yubikey) as a VIP Access code generator. It requires a bit of work, but there is a Python app (https://github.com/cyrozap/python-vipaccess) that will do all the hard work for you and generate the codes (and a QR Code) for you to enter into Authenticator. I have been using Yubico Authenticator successfully with Paypal for a year.
I spent some time trying to link this to Ebay, but I have found no way of doing it. It appears that you cannot get a Paypal security key in the UK (you have to use your phone), so maybe the option isn’t available on UK Ebay accounts.
gary
maria you didnt miss anything sadly @jay87bea you can order security keys from the states that work with the uk ebay and paypal sites but there not always easy to get they sell out alot
Mxx
Have you tried contacting Ebay’s support and asking them where’s that missing info and how to enable software-based 2fa?
Maria Varmazis
A great question – I did indeed call their support line and I couldn’t get a straight answer about it, my questions about 2fa were answered with something akin to “well, if something fishy is going on with your account, we’ll prompt you with security questions or lock the account completely.” I’m starting to think that eBay’s 2fa is completely unsupported at this point.
Andrew
I’m not surprised eBay can’t get security right — they don’t even offer an HTTPS version of their site. Any attempts to securely get anything that isn’t a login page just redirect back to HTTP…
Reader
This is EXACTLY the kind of hassle I went through in a FUTILE effort to set up 2FA on my eBay account. At one point, it DID allow me to set up 2FA and then it just as inexplicably went away and to date has never returned. I am mystified.
Initially, I had almost as much difficulty setting up 2FA for my PayPal account, but that seems to have sorted itself out.
eBay still still still won’t let me set up 2FA. So aggravating!
Craig
Glad I’m not the only one! 1) eBay should have 2FA 2) It shouldn’t be this hard!
Anonymous
I tried the Symantec VIP app and I’m getting an “Internal Error” from eBay. There’s a chance now that PayPal has moved away from hard-tokens (and moved to SMS tokens), that eBay (which relied on PayPal for much of its tech direction) will have to stop supporting hard/soft tokens as well. I don’t much like SMS, because its not encrypted. And anyone who knows how to clone a phone can bypass it as security. But its better than nothing. Does PayPal permit using soft tokens (like VIP)? If so, I’d switch over to that. But I talked to their reps last year and they were moving away from all hard/soft tokens.
Anonymous
I used the Activate link today and the Symantec VIP app information. You enter the “Credential ID” as the “Serial Number” and then two sequential security codes (before the second one expires). I did this today on a bank account, PayPal, and eBay. Had to try twice on eBay, but presumably only because I typoed something the first time.
Niclas
TO ALL – THIS WORKED !!
Thanx :-)
Capi...
Two-factor authentication for International users, for both PayPal and eBay is Urgently needed! – U2F and hardware tokens shall be at Top on their security pending list.
Anonymous
I think you should update this post to reflect the successful method of using the VIP Access application. That method does work, but you have to read all of the comments to figure it out. Also, the comments referring to Google Authenticator and Python make it look harder than it is. The VIP Access method is actually pretty easy.
John Navas
It shouldn’t be necessary to use a particular proprietary app, especially one that isn’t in wide use. eBay and PayPal should generate a K Secret Key for any TOTP authenticator plus the QR code supported by Google Authenticator.
Meanwhile PayPal has a system problem that’s forced many users to disable 2FA, and makes security harder than it needs to be by forcing users to type in passwords rather than paste them in from password generators, thereby discouraging use of strong passwords.
Shame on them both.
Gary
Ebay’s security is lax but if there is a problem YOU will suffer the consequences,
The way to go is FIDO U2F. Tokens are cheap, some sell for less than USD 10 (HyperSecu, Happlink). There is nothing to retype – just a button to press. And the server-side software implementation is very simple.
Dropbox and Gmail have it and it works well.
PayPal SMS tokens are so lame.
John Navas
The problem with FIDO U2F is that many users aren’t willing to buy and use security keys. That’s why TOTP software authentication (like Google Authenticator) is so important. But not Symantec VIP (used by eBay and PayPal), because it uses the same ID (serial) on all sites, so the compromise of any one site compromises them all. (What were they thinking?!)
Alain
“Ebay’s security is lax but if there is a problem YOU will suffer the consequences”
you are SO right – I’m a victim of their lack of security… dam them!
SMS tokens are better than nothing, and should be a min requirement IMO. Hard token is something most used might not want to deal with though. Linking paypal is a big mistake in this lack of security.
John Navas
The problem with FIDO U2F is that many users aren’t willing to buy and use security keys. That’s why TOTP software authentication (like Google Authenticator) is so important. But not Symantec VIP (used by eBay and PayPal), because it uses the same ID (serial) on all sites, so the compromise of any one site compromises them all. (What were they thinking?!)
Eastpak1984
in Germany webintface there is no option to enable it. :-(
Joe
Paypal seems to have disabled use of the VIP Access App.
The problem with the VIP Access app is that it needs to be reinstalled if you factory-reset the phone. And then you need deactivate the old key and activate a new one..
Since January, I have not been able to activate a new key on the Paypal site. It always reports a “communication error.”
It continues to work on eBay.
NS Dial
Pay pal finally cut the cord and doesn’t allow new 2 factor connections to be made to ebay. As of today however, the old RSA/Paypal type security keys are being converted to a phone based 2fa type. Neither Ebay and Pay pal support techs I spoke with were aware of the change or at least would not communicate that anything changed. Ebay sent an email today with a link to convert my older type 2FA to the phone / txt based token.
Alain
My ebay account got hacked, and since I made the mistake to link my Paypal account (wish I never did this convenience) they were able to make illegal purchase which I’m battling with my Bank to reverse (can take months even though item never shipped). Worse part is I’m now getting 3000+ spam emails a day the thiefs used to cover their track (hint: if you get suddenly spam flood, check your paypal or other financial accounts). SO MAD at ebay as they don’t provide 2FA (unlike google or paypal) which lead me to this article! since ebay can be linked to paypal it should be as safe and require at least an SMS token if you’re on a machine it doesn’t recognize… unless I’m mistaken all it takes is the fixed password to start a shopping spree on ebay. INCREDIBLY BAD! I was told thielf will then call the seller and change the shipping address to receive the goods. 2 weeks later and still getting spam flood on my gmail.. down to about 600 a day instead of few a week I used to get…. so fumming! DAM YOU EBAY
Zedsefi
Two days ago, my Top rated seller account has been hacked. The issue has been fixed by eBay, and I have asked eBay to step up and give me a better protection.
Well, eBay did just that, but probably tougher than what I expected. Now I need to verify my devices by phone calling eBay and providing a verification code every time a change happens. The issue is: This verification method is very annoying. I need to re-verify every item my browser’s cookies get deleted or a change of IP address / location occurs. This is a bit too much!
Smart companies verify devices by recognizing the physical MAC address of these devices, so that we don’t need to do the verification more than once, unless we report a device as stolen or a new device is going to be used. Two steps authentication is also another solution. I don’t want to phone call eBay whenever I reset my browser’s setting on my iPhone for instance, or a PC or a tablet, as long as I am using the same devices.
Best regards,
Zed Sefi
WTFarther
2FA on Ebay for new accounts (or old accounts that never had 2FA setup before in the old days) is more like hidden-in-plain-sight as a 1FA texting of a one-time passcode. when you sign in on Ebay, instead of logging in as usual by typing in your email (or username) and password, click the link “Text a temporary password”, then you’ll get a prompt where you type in your email (or username), and then Ebay finds your corresponding cell number, and then you click to have Ebay send you a text. you get a text with a six-character alphanumeric passcode, you input that on Ebay and you’re in. this confusing 1FA texting is probably a security method in obfuscation to throw people off because you may end up thinking backwards and sideways to understand how this is laid out at first.
of course, you most likely have no hope if someone has both your email (or your username) and your real actual password. Ebay is most likely counting on people having secure passwords, because that is probably all you can count on most non-techie people (who never heard of 2FA) to do nowadays and going forward forever. hopefully Ebay has security measures in place to detect if any bad guys (who are not really you) are trying to get into your account. haha yeah wishful thinking. yeah, it is kinda hard to have any faith in the great Ebay gods in the Ebay cloud.
Bachsau
The physical key fob uses the same key generation techniques as the VIP Access app from Versign, which can be used as a drop-in replacement and activated the same way.
Kevin
If you have more than one PayPal account like me, one personal and one business, it demands two (2) different phone numbers for 2FA. Seems unnecessary to me?
And if you have x PP accounts, you will need to have access to x phones!
Anonymous
Looks like ebay has made it easier to use 2FA. However it seems limited to SMS messages. Go to Personal Information in My Account settings. Then at the very bottom there is an option to enable 2FA. Use your phone number and Voila!
Anonymous
Agreed with the above comment! It works perfectly now!
Anonymous
Agreed. Ebay now supports SMS 2FA. That being said Tokens don’t look like they are supported. Go to Personal Information in My Account settings. Then there will be an option at the very bottom. All works now!