I want to utilize TWO Yubikeys so that I have a backup incase one is lost/stolen/breaks/etc. This is a VERY standard practice when using physical security devices like Yubikeys and as far as I've found, PayPal is the only service I'm using at the moment that hasn't allowed me to pair a a second YubiKey with my login for 2 factor authentication means.
Am I missing something? Is there in fact a way to utilize a second key? I click on "add new device" just like before, but now I'm only presented the option of adding a phone number for SMS verification instead of the ability to pair a second physical security device...
Bumping this. It's important to allow for more than one hardware token as that is best practice for any such device. Many users have at least two for this reason. I'd hope that support for more than one is added soon. Most companies that allow you to use these allow for their users to have more than one.
As per the title, Is it possible to add more than 1 security key? So far, you can add a TOTP 2FA (eg google auth) option, and a single security key as backup. Is there a way to add a second (or third, fourth, etc) security key to PayPal. Extras are always good and I fail to see why the limit is 1.
It's common practice to enroll multiple security keys for redundancy and high-availability. For example, iCloud requires a minimum of two keys. FIDO2 keys are more secure and phish-resistant than 6-digit authenticator apps. PayPal is the only site I've encountered so far with this limitation.
Please stop creating an unnecessarily insecure (fall back to auth app) and inconvenient (max 1 FIDO) workflow for your users. You've already written the FIDO2 support code - just let us enroll additional keys.
PayPal absolutely didn´t get the essence of security keys. They just want to say "PayPal supports security keys", just because it sounds fashionable. Supporting one security key and forcing the user to adopt TOTP as backup (or even worse, use the security key as backup to TOTP) is like closing a window for security reasons and let the one beside it open.
I would appreciate if some one from PayPal could give some input in this thread. Not following common security practices is a bit scary when you are a company handling monetary transactions.
Just to add another comment to this thread. I went to setup 2FA on my paypal account and was confused because I couldn't find a way to add a second yubikey. As people have pointed out many times, this is extremely standard practice. Paypal is the first service I have used that doesn't support this.
If someone told me that paypal doesn't support this I would not believe them and think they must have missed it in the UI.
If any paypal moderator is reading this you should know that the fact that this thread has existed for so long should be a point of shame for the entire company.
PayPal is the only website I've come across that accepts WebAuthn but only ollows you to register one key, and requires TOTP as backup.
I've got multiple Yubikeys, exactly so that the spare ones are backups. Requiring TOTP as backup basically means you migth as well not support security keys.
I decided to just use a TOTP app and not to register my security keys with Paypal.
