A little under two years ago, I looked into how one might go about securing an eBay account using two-factor authentication (2FA).
At the time, it wasn’t clear if 2FA was supported on eBay officially or not, and I found a number of dead-end paths when trying to actually set up my account with 2FA – old documentation pages about 2FA appeared to be buried or completely deprecated, many links were completely dead. Calls to customer service didn’t help much, as the reps I spoke to had no idea what I was talking about or why I was asking.
There were legacy documentation pages about using a third-party time-based token authentication service, but these were mostly dead-ends as well and I had, to put it mildly, an extraordinarily difficult time trying to set things up.
By the end of it all, I had tried (and tried!) to set up 2FA on my account, but really to no avail. I concluded my piece with a plea for readers to let me know if I’d missed something obvious in trying to secure my account, or at the very least to ask eBay nicely to make this process easier.
Over time, many of our Naked Security readers chimed in on my story saying that either they’d had similar processes, or they’d discovered a workaround entirely.
As more time passed, the comments started to change tone entirely, that actually the 2FA process was super simple and easy to do now. Based on what readers like you had commented, it sounded like something had changed for the better. Clearly, it was past time for me to revisit this story.
I’m quite relieved and thankful to report that since I first wrote this the eBay 2FA story, eBay has not only binned its previous byzantine 2FA procedure, but it’s replaced it with something that’s both easy to find and easy to use.
Now, happily, this is how you can easily set up 2FA on your eBay account.
- Log in to your account.
- Go to your account settings by clicking on your name in the upper left (where it says “Hi [your name]!”) and clicking Account settings in the dropdown.
- In the My Account menu on the left that now appears, click Personal information.
- Scroll to the bottom of the Personal Information screen, and you’ll now see a field that says Security Information, with the 2 step verification option underneath it. If it is switched to “off”, click the Edit option on the right.
- Follow the instructions on the screen. eBay 2FA supports voice and SMS factors (no support for time-based token authentication, like Google Authenticator or Duo, as far as I can tell).
- You’ll get a confirmation once it’s set up. Easy peasy!
I’m relieved that eBay has now made this much easier for users, and hope if you’re an eBay user you’ll take a quick moment to get this set up on your account.
Anonymous
[insert “that was easy” button here]
Done, thanks!
Steve
eBay used to have a great 2FA feature using the Symantec VIP authentication token, back before anybody was even talking about 2FA. You could get a token with an LCD screen, use a special Yubikey, or get an app for your phone. Unfortunately when eBay and Paypal split, Paypal kept the support for the token but eBay was back to password only. It is good to see they support something again, but unfortunate that it is only SMS.
Eebs
Why are so many companies still relying on the useless SMS based authentication when it’s so easy to integrate yubikeys or other 2FA token methods.
Bryan
The same reason for everything else in preventative security:
cost and hassle vs. perceived benefit
There’s a shrinking-but-still-quite-significant ratio of people who lack appreciation and view proper security measures as an inconvenience. Okay, using proper security admittedly is an inconvenience, but *they* view it as one with not enough ROI–some inexplicably even after fighting identity or monetary theft issues.
“I didn’t get hacked yet again today, and my password is still better than Grandma’s password.” We all know how precarious that stance is, but to them, “500 days of not getting hacked” still overshadows the one outlier.
Then some who realize they *should* do better…mean well but never do. Yubikey on their ‘To Do’ list, they plan to ‘someday’ learn to use a password manager. By contrast, SMS is on the phone they already have and requires two minutes to configure and validate.
Companies must gauge their clientele before forcing security–or they annoy people and lose business. Even keeping it optional means there’s more to go wrong and more to support. Until the aforementioned ratio vanishes, this corporate hesitance will remain.
Until that ratio approaches 50% the syndrome will remain rampant.
honeycutt1969
Thank you for your timely article!
Jason
Do NOT enable Ebay’s horrible implementation of 2FA. I repeat… DO NOT enable this!!
2FA via SMS txt is 100% insecure! Jeeze… 60 Minutes even did a story on this where they hijacked 2 separate United States Senator’s TXTs & voice calls. And no, they didn’t resort to hacking their individual phones & installing malware. They simply hacked into the national cellular GRID and eavesdropped on their calls in real-time! The mobile grid can be snooped on by ANYONE in the world with the correct a laptop & the cellular network sniffing programs (hello…. basically anyone with access to bittorrent or hacking forums).
Worse yet, you don’t even need to be a hacker. There are literally thousands and THOUSANDS of stories of random people simply calling up the telco and SOCIAL ENGINEERING their way into your acct… ie… getting the ATT or T-Mobile CS agent to simply switch over your mobile acct to some other random person’s new SIM card!! Presto, you’ve just lost access to your phone #, Data, and SMS txt msgs. So much for that secure 2FA code sent over SMS.
I repeat, DO NOT enable any 2FA that ONLY allows authentication tokens sent over SMS or voice! Doing so actually exposes your acct to a greater risk of being hijacked vs. simply using a username and LONG random password. Ebay allows massive 64+ char passwords (unlike Paypay).
Paul Ducklin
I heaar you, but it’s not clear how a username + password + SMS 2FA code is *less* secure than just username + password, given that most people don’t get SIM-swapped, and given that many mobile providers these days allow you to lock down your mobile account to make it much harder for anyone (admittedly including you) to get a new SIM issued.
I suspect that the main reason that SMS 2FA appears to reduce security is because people treat the 2FA part as 1FA – in other words, they use the existence of 2FA as an excuse for picking a rubbish password that’s easy to guess, and fall back on the second factor of authentication as if it were their only security.
In other words, if the only sort of 2FA that you have is SMS-based, pick a password that you think is strong enough to use without 2FA, and then add the 2FA part anyway – in the same way that you almost certainly leave your car’s airbags activated even though you always wear a seatbelt.
(Very many more people get keylogged than get SIM swapped. And keyloggers give the crooks your password *no matter how long and complicated it is*. Yet you aren’t suggesting giving up on passwords because keyloggers are a reality.)
Not ammused
Ebay lets you choose 2FA via sms OR ‘use the ebay app’ then gives instructions on how to turn it on in the app. As mentioned already, I don’t want to use SMS because of sim swapping so I chose ‘use ebay app’. But… IT DOESN’T WORK!!! After following the setup, when you log into ebay online, it tells you to then ‘press the button on your security key and type the 6 digit code’!! What? I’m not using a security key! I chose ebay app. When you open the app, it doesn’t do anything either. I thought a code would just ‘pop up’ (like my banking app does). How ridiculous!
Scott
This folks (thank you Not ammused) – its not authenticator, its the eBay app, but that seems way better than someone hijacking your phone number via swim swap attack to reset your password and take over your eBay account.
Maria – please update the article, this is much better than 2FA via SMS.
Scott
Sorry, have to reply to myself, could not get the eBay app 2FA to work either – literally wouldn’t finish the setup. Try again in a month or two after eBay finishes developing it. /s (2FA on SIM until then)
Capitan
eBay has a Bizarre view on how to implement 2FA. Not truly secure and certainly not “More Convenient” as they say. You have to use their Mobile “Authentication” App to enable 2FA. No, Not “More Convenient” because people usually use a real 2FA App or a Password Manager, such as Google Authenticator, Authy, KeePass, 1Password, Yubico Authenticator, etc. to store their OTP accounts, under just one roof. Where is the “More Convenient” part, by forcing you to use another app to store your eBay’s account OTP codes. More secure? I don’t think so. The Authenticator Apps and Password Managers mentioned above, offer better security, better encryption, and better convenience, and you don’t need to install the eBay app on your mobile device if you don’t want to. Now, if eBay, will truly care about Security, they should implement U2F Hardware Keys, such as the YubiKey, which not only offer the highest security, but are certainly more convenient to use, than reaching your phone, unlock it, search the app, open the app, and so on, so long . Additionally, If eBay will truly care about their Customer’s Privacy, they shouldn’t require you to install their app on your Mobile device. SMS, too, is a weak security implementation for delivering One Time Passwords (OTP) Codes.
Paul Ducklin
I got a bit confused here, because you say that eBay’s app is the only way but also mention SMS, so let me summarise (I checked on eBay itself).
* You can still use a password manager (you mention KeepPass, 1Password and others) with your eBay account. We like password managers – try one if you haven’t already.
* If you want to do app-based 2FA, you do indeed have to use eBay’s own app, which has a code-based authenticator built in, just like Facebook’s app does. If you already have eBay’s app, this means you don’t have to mess around typing in an authenticator seed or scanning a QR code.
* Unlike Facebook, you can’t choose to export the 2FA authenticator seed to use a third-party 2FA code generator (like Sophos’s own one, or Google Authenticator) instead. This would be a nice feature, but I wouldn’t use the word “bizarre” to describe the fact that eBay doesn’t have it.
* If you don’t have or want to use eBay’s app, you will indeed need to provide your phone number and get 2FA codes via SMS.
SMS 2FA codes are widely criticised, mainly because NIST in the US plans to stop American public servants from using them. If a crook persuades a mobile phone shop to re-issue your SIM card to them, they can receive your codes and are one step closer to hacking your account, which is indeed an issue. But the crook still needs your username and password, and also needs you not to notice that your own phone has been cut off.
One of the biggest blockers to widespread 2FA adoption is that people couldn’t be bothered to activate it, and SMS 2FA has the advantage that it’s really easy to use. On the scale of convenience, it’s surely got to be right at the top. If you live in any modern city or large town, the chance of not receiving a text message almost immediately is pretty low.
I typically receive my SMS 2FA codes, when logging into accounts that use SMS, in the same time or more quickly that it takes me to fire up my Sophos Authenticator app. I’ve missed exactly one authenticator SMS code in 6 years – a storm had blown the closest phone tower down. I went down the road a bit, problem sorted.
Also, SMS 2FA has a neat side-effect that if someone tries to login to your account, the SMS that turns up on your phone gives you a proactive warning of the rogue activity.
Yubikey fans would, indeed, love to be able to use them with eBay… but in the meantime, I would argue that SMS 2FA is better than no 2FA at all, unless you treat 2FA as an excuse for a weak password…
tlum
eBay app and SMS 2FA is a total joke. eBay still does not support “secure” token based 2FA. Not only are their only 2FA methods insecure, they’re dependent on other infrastructure that is relatively slow and subject to their own service outages. Not to single out eBay, this is the sad state of affairs with most providers who are doing 2FA.