PayPal’s Help Center - Technical Support post shows how Passkeys work on its platform and how users can add new security devices, this covers both iOS and Android but also desktop systems too. It also goes into more detail on what to do when you’ve lost your device, and much more.
TL;DR: As of 26th May 2023, PayPal only supports external security “Passkeys” keys (such as Yubikeys) for two-factor authentication. Passkeys on mobile devices like iOS or Android still do NOT work, even though you can register one. I am based in the UK, but US users have also experienced these same issues.
Registering a device
To register a Passkey log-in into your PayPal account and go to Account Profile, then Security and 2-step verification, select update. You will then be presented with this browser window:
Out of the two options:
Use a phone or tablet or
USB security key. I opted to use my iPhone as a security device, since Apple introduced support for Passkeys in iOS 16. A QR code is presented where users use their device’s camera to save to their iCloud account.
Note: The QR code disappears almost immediately, making it really difficult to add a Passkey to a mobile device in the first place. I did manage to add it to my iPhone running (iOS 16.5) but only after several attempts.
Upon “successful” registration, you’ll receive a confirmation email that a new FIDO key has been enrolled to your account. And that you will need to use this option moving forward.
Trying to log-in
I tried three attempts using a security key to log-in:
- a desktop (MacBook Air running macOS 12.6.5)
- a mobile device (iPhone 12 running iOS 16.5)
- a Yubikey 5C
On my MacBook Air, after entering my username and password I needed to select Try another way on the 2FA page, as I have not selected the Passkey as the default option.
What I expect is my security device (iPhone) to get some kind of notification regarding the authentication request. Instead, I get browser dialog which states “Insert your security key and touch it” and no other options. This request will ultimately time-out and fail.
I am forced to cancel this authentication request and use my Authenticator app instead.
Trying to log-in using my iPhone (Safari), again much like the previous authentication steps. But this time I get an error stating security keys are only supported on “Desktop devices”, even though I can register one.
Registering a Yubikey was straight forward, and the log-in process worked well. This was the only option that worked successfully.
PayPal community discussions
A post on the PayPal’s community discussion forum shows other users experiencing the exact same issue. Most are able to register a security device (iPhone) but can’t actually use it for log-ins. Others are unable to find the settings.
There are other posts just like the above.
A few slow responses from PayPal moderators suggest the Passkey feature is only being rolled out in the US, however several users from the US are also experiencing the same problems.
PayPal is probably well aware of this issue but doesn’t seem to be taking action on the matter. It’s also very confusing for users since PayPal publishes these types of press releases (from March 2023). But after testing it clearly has issues and not just users in the UK but the US too.
I can confirm that PayPal only support Yubikey type security devices as Passkeys. But if you don’t have one then I’d just stick to using an authentication app. Maybe this will get sorted in the future, but who knows.