We’ve been doing a series of posts about setting up two-factor authentication (2FA) on a variety of sites that you may use every day.
Our first post of the series received a comment requesting a walk-through on setting up 2FA for an eBay account.
According to the Two Factor Auth List, eBay does indeed support 2FA (at least on the US version). So, spurred on by this most excellent comment from a faithful Naked Security reader, off I went to research the steps.
Generally, the process for setting up 2FA nowadays is very straightforward. After all, companies that offer 2FA want to make it as easy as possible to entice folks like you and me to use them.
In the case of eBay, I spent over an hour trying to figure out how to enable 2FA on my account. It was mind-bogglingly disjointed and difficult.
I went down the proverbial rabbit hole just to try and find a clear, simple answer. After searching, all I found was:
- A static telephone PIN for my eBay account
- An option to enable 2FA via a key fob that I’d have to purchase
- 2FA for my linked PayPal account
I’ve retraced my steps in the post below for your edification.
Naked Security readers: If you are more eBay-fluent than I and find that I’ve missed an obvious, easier way to set up 2FA for eBay, please let me know and I will be very happy to correct this post.
The unnecessary saga of 2FA in eBay
I brushed the dust off my eBay account, logged in, clicked on “My eBay” and then the “Account” tab.
Hmm. No Security section there, but perhaps “Site Preferences” will help.
No luck. But I noticed a field under “Personal Information” called “Telephone PIN” that seemed promising. The language seemed 2FA-esque.
First, I needed to add a mobile phone to my account, which was straightforward. But then I was asked to set a 6-digit phone PIN, which isn’t what we’re looking for.
I noticed that I wasn’t asked for my PIN upon login either, so it seems this is a confirmation step upon purchase.
While it’s better than nothing, since the PIN doesn’t change this is basically 1FA. Like your password, the PIN is something you know.
The PIN doesn’t offer a second factor of authentication, like something you own – like a cell phone or an Authenticator app that receives or generates a unique code.
To spare you the boring details, I clicked every subsection of the “My Account” area, examined the “Security Center” in the eBay footer and even did the thing I hate most – consulting the “Help” section – but I found nothing even remotely hinting at Security settings.
I resorted to a bit of Googling, and managed to find this page buried within eBay itself about the PayPal Security Key.
The page assures the reader that the Security Key works for both eBay and PayPal, but that it must be initialized separately on each site. Although, it doesn’t say how.
The Overview page reassured me that I could use an app to secure my eBay account, and sent me to a promotional page that also assured me it was specifically for eBay. Great!
With the authenticator app downloaded, I was hopeful that this was the solution I’ve been looking for. But I still couldn’t find a way to link my authenticator to my eBay account.
So I went back to the page I’d discovered earlier, clicked the “Order Security Key” option on the left, and was prompted to log in to my PayPal account.
Upon logging in, PayPal says it will text me a code to my cell phone. So far, so good.
PayPal sent me a code to my cell phone, which I then verified:
And then I was referred to my PayPal account. Did it work? And what happened to my eBay account? No notification that I could find confirming it either way.
Back to the drawing board and to the earlier page.
I now tried “Activate Security Key” instead and was prompted to log back in to my eBay account.
Upon doing so, I was greeted by this screen with the message, “To activate your Security Key for use on your eBay account, follow the steps below. If you wish to activate the Security Key for your PayPal account, you must go to the Paypal activation page.”
That’s a physical key fob, which I don’t have, though they were available for purchase ($30 USD) on the Symantec page.
Undeterred, I still tried inputting the serial number and code from my authenticator app, but it didn’t work.
Since I still couldn’t find a way to link the mobile authenticator app to my account, I’m guessing this means the only 2FA supported by eBay is via the physical key fob that you’d have to purchase.
(I haven’t purchased the key fob, so I can’t verify personally if it works. Given how buried the 2FA page is on the site, it’s possible I found an old page for a feature that’s no longer supported, but I hope this isn’t the case.)
Setting up 2FA on Paypal
I found a post that mentioned 2FA via Paypal, at least for the US version.
While EBay did own Paypal for a few years, they split in 2014.
Still, Paypal is a pretty integral part of eBay, so this seemed like a promising lead. At the very least, if 2FA is enabled for PayPal, it’s an added layer of security at the purchase step.
For PayPal US users, as soon as you log in, click “Profile” under “My Account” and select “My settings.” You’ll see an option for a “Security Key.” Hit “Update” to proceed.
Next, you’ll need to register your mobile phone to your PayPal account if you haven’t already. Do so, and hit “Agree and Register.”
Now PayPal will text you a 6-digit code to your registered mobile device. (I could not find an option here to register for with an authenticator app instead.)
Upon entering the code and hitting “Activate,” PayPal will confirm that you successfully enabled 2FA on your PayPal account.
It just shouldn’t be this hard
I do commend PayPal for offering 2FA. At the very least, a criminal trying to cause mischief by commandeering an eBay account would not be able to make purchases via PayPal without hitting the 2FA wall.
Though if you have a credit card linked to your eBay account, or don’t have a PayPal account at all, PayPal’s 2FA is out of the picture.
That said, hopefully eBay’s key fob 2FA works – if you can find it – but it should never be this difficult to set up 2FA.
I am hoping perhaps the lack of clarity around setting this up is only temporary, and hopefully the team at eBay is working on a better solution – preferably one that leverages a free authenticator app and/or SMS, instead of a purchase-only key fob.
If you are an eBay user who finds this process a bit lacking, I encourage you to send the team at eBay a note about making 2FA adoption easier overall.