Skip to content
Naked Security Naked Security

Setting up two-factor authentication on eBay: harder than it should be

Most services that offer two-factor authentication make it as easy as possible to set up. Unfortunately, eBay doesn't.

We’ve been doing a series of posts about setting up two-factor authentication (2FA) on a variety of sites that you may use every day. 

Our first post of the series received a comment requesting a walk-through on setting up 2FA for an eBay account.

According to the Two Factor Auth List, eBay does indeed support 2FA (at least on the US version). So, spurred on by this most excellent comment from a faithful Naked Security reader, off I went to research the steps.

Generally, the process for setting up 2FA nowadays is very straightforward. After all, companies that offer 2FA want to make it as easy as possible to entice folks like you and me to use them.

In the case of eBay, I spent over an hour trying to figure out how to enable 2FA on my account. It was mind-bogglingly disjointed and difficult.

I went down the proverbial rabbit hole just to try and find a clear, simple answer. After searching, all I found was:

  • A static telephone PIN for my eBay account
  • An option to enable 2FA via a key fob that I’d have to purchase
  • 2FA for my linked PayPal account

I’ve retraced my steps in the post below for your edification. 

Naked Security readers: If you are more eBay-fluent than I and find that I’ve missed an obvious, easier way to set up 2FA for eBay, please let me know and I will be very happy to correct this post.

The unnecessary saga of 2FA in eBay

I brushed the dust off my eBay account, logged in, clicked on “My eBay” and then the “Account” tab.

ebay2fa1

Hmm. No Security section there, but perhaps “Site Preferences” will help.

ebay2fa2

No luck. But I noticed a field under “Personal Information” called “Telephone PIN” that seemed promising. The language seemed 2FA-esque.

First, I needed to add a mobile phone to my account, which was straightforward. But then I was asked to set a 6-digit phone PIN, which isn’t what we’re looking for.

I noticed that I wasn’t asked for my PIN upon login either, so it seems this is a confirmation step upon purchase.

ebay2fa3

While it’s better than nothing, since the PIN doesn’t change this is basically 1FA. Like your password, the PIN is something you know.

The PIN doesn’t offer a second factor of authentication, like something you own – like a cell phone or an Authenticator app that receives or generates a unique code.

To spare you the boring details, I clicked every subsection of the “My Account” area, examined the “Security Center” in the eBay footer and even did the thing I hate most – consulting the “Help” section – but I found nothing even remotely hinting at Security settings.

ebay2fa4

I resorted to a bit of Googling, and managed to find this page buried within eBay itself about the PayPal Security Key.

The page assures the reader that the Security Key works for both eBay and PayPal, but that it must be initialized separately on each site. Although, it doesn’t say how.

The Overview page reassured me that I could use an app to secure my eBay account, and sent me to a promotional page that also assured me it was specifically for eBay. Great!

With the authenticator app downloaded, I was hopeful that this was the solution I’ve been looking for. But I still couldn’t find a way to link my authenticator to my eBay account.

So I went back to the page I’d discovered earlier, clicked the “Order Security Key” option on the left, and was prompted to log in to my PayPal account.

Upon logging in, PayPal says it will text me a code to my cell phone. So far, so good.

ebay2fa5a

PayPal sent me a code to my cell phone, which I then verified:

ebay2fa5b

And then I was referred to my PayPal account. Did it work? And what happened to my eBay account? No notification that I could find confirming it either way.

Back to the drawing board and to the earlier page.

I now tried “Activate Security Key” instead and was prompted to log back in to my eBay account.

Upon doing so, I was greeted by this screen with the message, “To activate your Security Key for use on your eBay account, follow the steps below. If you wish to activate the Security Key for your PayPal account, you must go to the Paypal activation page.”

ebay2fa6

That’s a physical key fob, which I don’t have, though they were available for purchase ($30 USD) on the Symantec page.

Undeterred, I still tried inputting the serial number and code from my authenticator app, but it didn’t work.

Since I still couldn’t find a way to link the mobile authenticator app to my account, I’m guessing this means the only 2FA supported by eBay is via the physical key fob that you’d have to purchase.

(I haven’t purchased the key fob, so I can’t verify personally if it works. Given how buried the 2FA page is on the site, it’s possible I found an old page for a feature that’s no longer supported, but I hope this isn’t the case.)

Setting up 2FA on Paypal

I found a post that mentioned 2FA via Paypal, at least for the US version.

While EBay did own Paypal for a few years, they split in 2014.

Still, Paypal is a pretty integral part of eBay, so this seemed like a promising lead. At the very least, if 2FA is enabled for PayPal, it’s an added layer of security at the purchase step.

For PayPal US users, as soon as you log in, click “Profile” under “My Account” and select “My settings.” You’ll see an option for a “Security Key.” Hit “Update” to proceed.

ebay2fa7 copy

Next, you’ll need to register your mobile phone to your PayPal account if you haven’t already. Do so, and hit “Agree and Register.”

ebay2fa8

Now PayPal will text you a 6-digit code to your registered mobile device. (I could not find an option here to register for with an authenticator app instead.)

ebay2fa9

Upon entering the code and hitting “Activate,” PayPal will confirm that you successfully enabled 2FA on your PayPal account.

It just shouldn’t be this hard

I do commend PayPal for offering 2FA. At the very least, a criminal trying to cause mischief by commandeering an eBay account would not be able to make purchases via PayPal without hitting the 2FA wall.

Though if you have a credit card linked to your eBay account, or don’t have a PayPal account at all, PayPal’s 2FA is out of the picture.

That said, hopefully eBay’s key fob 2FA works – if you can find it – but it should never be this difficult to set up 2FA.

I am hoping perhaps the lack of clarity around setting this up is only temporary, and hopefully the team at eBay is working on a better solution – preferably one that leverages a free authenticator app and/or SMS, instead of a purchase-only key fob.

If you are an eBay user who finds this process a bit lacking, I encourage you to send the team at eBay a note about making 2FA adoption easier overall.


41 Comments

I’m not sure why EBay doesn’t document this, but Symantec has a VIP app for iOS, Android, and Windows Phone. You can use any of those in place of the key fob.

Reply

I did download the app and try to get that to work, but found no way to link my VIP app to my eBay account. Did I miss a step somewhere?

Reply

I don’t know about eBay, but I do have the app working for PayPal.
I think you just pretend the app is the same as the keyfob, and enter the information on that page.

Reply

1) Go to https://scgi.ebay.com/ws/eBayISAPI.dll?ActivateSecurityToken
2) Open your app, you will see your credential ID up top and current security code
3) Entery your credential id in [1] and your security code in [2]
4) Wait until your current security code dissapears and a new one appears
5) Enter your newly generated security code in [3]

Basically you need to enter your credential id, and two last security codes displayed by the app while you filling out the form.

It worked for me.

Reply

This worked for me using the Symantec VIP Access Android app.

I just started looking into 2FA for eBay because I’ve gotten locked out of my account a half dozen times in the past week. Ebay keeps telling me they suspected unauthorized access on my account and I have to reset my password. Hoping enabling 2FA puts an end to this.

Reply

This works, using VIP Access from Symantec as authenticator. Make sure to enter the “credential ID” without spaces in Ebay’s form (VIP Access displays it with spaces).

Reply

Great instructions, worked for me. I actually have a Canadian eBay account, which is linked to the US site, and the 2FA works when I try to log into either ebay.ca or ebay.com.
Thanks!

Reply

An interesting article. It is not just me, then!

It is possible to set up Google Authenticator (or Yubico Authenticator, if you have a Yubikey) as a VIP Key. It requires a bit of work, but there is a Python app which can do all the hard work for you and generate the codes you need. I have been using Yubico Authenticator successfully with Paypal for over a year. I had looked at linking it to Ebay too, but given up, for the same reasons as you.

Reply

Very interesting — and I’m glad it’s not just me either. But given that a lot of people use eBay every day, I’m really hoping someone will comment and let me know that I’ve missed a really obvious solution somewhere.

Reply

You would do it the same way as with a hard token, enter the Token ID (which is displayed in the App) and then validate a code or two. It’s been years since I’ve done it (they’ve had the token support for a long time) but it worked.

Reply

It is not just me, then!
It is possible to use Google Authenticator (or Yubico Authenticator if you have a Yubikey) as a VIP Access code generator. It requires a bit of work, but there is a Python app (https://github.com/cyrozap/python-vipaccess) that will do all the hard work for you and generate the codes (and a QR Code) for you to enter into Authenticator. I have been using Yubico Authenticator successfully with Paypal for a year.
I spent some time trying to link this to Ebay, but I have found no way of doing it. It appears that you cannot get a Paypal security key in the UK (you have to use your phone), so maybe the option isn’t available on UK Ebay accounts.

Reply

maria you didnt miss anything sadly @jay87bea you can order security keys from the states that work with the uk ebay and paypal sites but there not always easy to get they sell out alot

Reply

Have you tried contacting Ebay’s support and asking them where’s that missing info and how to enable software-based 2fa?

Reply

A great question – I did indeed call their support line and I couldn’t get a straight answer about it, my questions about 2fa were answered with something akin to “well, if something fishy is going on with your account, we’ll prompt you with security questions or lock the account completely.” I’m starting to think that eBay’s 2fa is completely unsupported at this point.

Reply

I’m not surprised eBay can’t get security right — they don’t even offer an HTTPS version of their site. Any attempts to securely get anything that isn’t a login page just redirect back to HTTP…

Reply

This is EXACTLY the kind of hassle I went through in a FUTILE effort to set up 2FA on my eBay account. At one point, it DID allow me to set up 2FA and then it just as inexplicably went away and to date has never returned. I am mystified.

Initially, I had almost as much difficulty setting up 2FA for my PayPal account, but that seems to have sorted itself out.

eBay still still still won’t let me set up 2FA. So aggravating!

Reply

I tried the Symantec VIP app and I’m getting an “Internal Error” from eBay. There’s a chance now that PayPal has moved away from hard-tokens (and moved to SMS tokens), that eBay (which relied on PayPal for much of its tech direction) will have to stop supporting hard/soft tokens as well. I don’t much like SMS, because its not encrypted. And anyone who knows how to clone a phone can bypass it as security. But its better than nothing. Does PayPal permit using soft tokens (like VIP)? If so, I’d switch over to that. But I talked to their reps last year and they were moving away from all hard/soft tokens.

Reply

I used the Activate link today and the Symantec VIP app information. You enter the “Credential ID” as the “Serial Number” and then two sequential security codes (before the second one expires). I did this today on a bank account, PayPal, and eBay. Had to try twice on eBay, but presumably only because I typoed something the first time.

Reply

Two-factor authentication for International users, for both PayPal and eBay is Urgently needed! – U2F and hardware tokens shall be at Top on their security pending list.

Reply

I think you should update this post to reflect the successful method of using the VIP Access application. That method does work, but you have to read all of the comments to figure it out. Also, the comments referring to Google Authenticator and Python make it look harder than it is. The VIP Access method is actually pretty easy.

Reply

It shouldn’t be necessary to use a particular proprietary app, especially one that isn’t in wide use. eBay and PayPal should generate a K Secret Key for any TOTP authenticator plus the QR code supported by Google Authenticator.
Meanwhile PayPal has a system problem that’s forced many users to disable 2FA, and makes security harder than it needs to be by forcing users to type in passwords rather than paste them in from password generators, thereby discouraging use of strong passwords.
Shame on them both.

Reply

Ebay’s security is lax but if there is a problem YOU will suffer the consequences,
The way to go is FIDO U2F. Tokens are cheap, some sell for less than USD 10 (HyperSecu, Happlink). There is nothing to retype – just a button to press. And the server-side software implementation is very simple.
Dropbox and Gmail have it and it works well.
PayPal SMS tokens are so lame.

Reply

The problem with FIDO U2F is that many users aren’t willing to buy and use security keys. That’s why TOTP software authentication (like Google Authenticator) is so important. But not Symantec VIP (used by eBay and PayPal), because it uses the same ID (serial) on all sites, so the compromise of any one site compromises them all. (What were they thinking?!)

Reply

“Ebay’s security is lax but if there is a problem YOU will suffer the consequences”
you are SO right – I’m a victim of their lack of security… dam them!

SMS tokens are better than nothing, and should be a min requirement IMO. Hard token is something most used might not want to deal with though. Linking paypal is a big mistake in this lack of security.

Reply

The problem with FIDO U2F is that many users aren’t willing to buy and use security keys. That’s why TOTP software authentication (like Google Authenticator) is so important. But not Symantec VIP (used by eBay and PayPal), because it uses the same ID (serial) on all sites, so the compromise of any one site compromises them all. (What were they thinking?!)

Reply

Paypal seems to have disabled use of the VIP Access App.
The problem with the VIP Access app is that it needs to be reinstalled if you factory-reset the phone. And then you need deactivate the old key and activate a new one..
Since January, I have not been able to activate a new key on the Paypal site. It always reports a “communication error.”
It continues to work on eBay.

Reply

Pay pal finally cut the cord and doesn’t allow new 2 factor connections to be made to ebay. As of today however, the old RSA/Paypal type security keys are being converted to a phone based 2fa type. Neither Ebay and Pay pal support techs I spoke with were aware of the change or at least would not communicate that anything changed. Ebay sent an email today with a link to convert my older type 2FA to the phone / txt based token.

Reply

My ebay account got hacked, and since I made the mistake to link my Paypal account (wish I never did this convenience) they were able to make illegal purchase which I’m battling with my Bank to reverse (can take months even though item never shipped). Worse part is I’m now getting 3000+ spam emails a day the thiefs used to cover their track (hint: if you get suddenly spam flood, check your paypal or other financial accounts). SO MAD at ebay as they don’t provide 2FA (unlike google or paypal) which lead me to this article! since ebay can be linked to paypal it should be as safe and require at least an SMS token if you’re on a machine it doesn’t recognize… unless I’m mistaken all it takes is the fixed password to start a shopping spree on ebay. INCREDIBLY BAD! I was told thielf will then call the seller and change the shipping address to receive the goods. 2 weeks later and still getting spam flood on my gmail.. down to about 600 a day instead of few a week I used to get…. so fumming! DAM YOU EBAY

Reply

Two days ago, my Top rated seller account has been hacked. The issue has been fixed by eBay, and I have asked eBay to step up and give me a better protection.

Well, eBay did just that, but probably tougher than what I expected. Now I need to verify my devices by phone calling eBay and providing a verification code every time a change happens. The issue is: This verification method is very annoying. I need to re-verify every item my browser’s cookies get deleted or a change of IP address / location occurs. This is a bit too much!

Smart companies verify devices by recognizing the physical MAC address of these devices, so that we don’t need to do the verification more than once, unless we report a device as stolen or a new device is going to be used. Two steps authentication is also another solution. I don’t want to phone call eBay whenever I reset my browser’s setting on my iPhone for instance, or a PC or a tablet, as long as I am using the same devices.

Best regards,
Zed Sefi

Reply

2FA on Ebay for new accounts (or old accounts that never had 2FA setup before in the old days) is more like hidden-in-plain-sight as a 1FA texting of a one-time passcode. when you sign in on Ebay, instead of logging in as usual by typing in your email (or username) and password, click the link “Text a temporary password”, then you’ll get a prompt where you type in your email (or username), and then Ebay finds your corresponding cell number, and then you click to have Ebay send you a text. you get a text with a six-character alphanumeric passcode, you input that on Ebay and you’re in. this confusing 1FA texting is probably a security method in obfuscation to throw people off because you may end up thinking backwards and sideways to understand how this is laid out at first.

of course, you most likely have no hope if someone has both your email (or your username) and your real actual password. Ebay is most likely counting on people having secure passwords, because that is probably all you can count on most non-techie people (who never heard of 2FA) to do nowadays and going forward forever. hopefully Ebay has security measures in place to detect if any bad guys (who are not really you) are trying to get into your account. haha yeah wishful thinking. yeah, it is kinda hard to have any faith in the great Ebay gods in the Ebay cloud.

Reply

The physical key fob uses the same key generation techniques as the VIP Access app from Versign, which can be used as a drop-in replacement and activated the same way.

Reply

If you have more than one PayPal account like me, one personal and one business, it demands two (2) different phone numbers for 2FA. Seems unnecessary to me?

And if you have x PP accounts, you will need to have access to x phones!

Reply

Looks like ebay has made it easier to use 2FA. However it seems limited to SMS messages. Go to Personal Information in My Account settings. Then at the very bottom there is an option to enable 2FA. Use your phone number and Voila!

Reply

Agreed. Ebay now supports SMS 2FA. That being said Tokens don’t look like they are supported. Go to Personal Information in My Account settings. Then there will be an option at the very bottom. All works now!

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!