eBay

sw_design4security · ‎05-23-2018

I just received an email from eBay.com saying:

"Starting on May 30, 2-step verification will only be done with your phone. Your token won't work anymore. You can still use 2-step verification by receiving a text of phone call with the security code."

Why are you doing this? Hardware tokens are known to be far more secure than two-factor authentication (2FA) using a cell phone. The US National Institute for Standards and Technology (NIST) has deprecated 2FA using SMS or phone, for government systems, because it's far too easy for someone to change the contact phone number if an account has been taken over. As long as I have my token in my possession, no-one can log in to my account.

If you find the uptake of tokens among your customers has been too small, it makes some sense to also allow a less secure method of 2FA, but surely the cost of continuing to support tokens for customers who actually care about security can't be that great. This is a very regressive move!

johnpmcgrath · ‎01-23-2021

I totally agree and would like to add that for many people, the way their phones are setup to receive these “more secure” SMS codes, often there is a notification that appears on the front screen of a locked phone that shows the very code that allows full access with having to log into the phone.....

sw_design4security · ‎05-23-2018

Sorry, my phrasing was bad. The issue is not actually that a phone number can be changed if an account is hacked, rather that it's far too easy to hijack cell phone accounts as part of taking over financially attractive on-line accounts. See this article for more information, if you're unfamiliar with the problem:

https://blog.vasco.com/authentication/sms-authentication/

eBay

Why no longer allowing token for 2FA?

Accepted Solutions (0)

Answers (2)

Answers (2)

Buy

Sell

Tools & apps

eBay companies

Stay Connected

About eBay

Help & contact

Community

eBay Sites