Categories: Security

eBay ‘Downgrading’ Some Users’ Two-Factor Authentication

eBay has confirmed is asking users of its security key to switch to the use of text messages as a second login factor – a technique industry observers say is less secure.

“We’re going to make two-step verification more convenient by texting you a PIN instead of having to use your token,” eBay said in a message sent to users of the security key, which was issued by PayPal before its spin-off in 2015. “All you need is a mobile device.”

Users prompted to switch

The message is accompanied by a button prompting users to “switch”, but taking that step is currently optional.

eBay confirmed it was asking customers to use text-message authentication instead of the PayPal-issued token, calling it a “convenient” option.

“Our product team is constantly working on establishing new short-term and long-term, eBay-owned factors to address our customer’s security needs,” eBay said in a statement. “To that end, we’ve launched SMS-based two-factor authentication as a convenient two-factor authentication option for eBay customers who already had hardware tokens issued through PayPal.”

eBay said it is continuing to develop more multi-factor authentication options for its users and would provide more information when those offerings were ready for launch.

Security downgrade

Brian Krebs, an investigative journalist who has used the token since its launch in 2007 to log into both eBay and PayPal, said the move amounted to reducing users’ security.

“I found it remarkable that eBay, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is now essentially trying to downgrade my login experience to a less-secure option,” he said in a blog post.

He noted that draft guidelines released by the US government’s National Institute for Standards and Technology (NIST) last year appeared to be phasing out the use of SMS-based two-factor authentication.

One-time codes sent via text message have become a popular way to improve online account security, but they’re vulnerable to interception, the NIST said.

Krebs said eBay appeared to be trying to move users to authentication methods it owns, following the PayPal spin-off.

eBay also supports Symantec’s VIP Security Key mobile application, but the company didn’t respond to a request for comment on whether that, too, was being phased out.

“I think I’ll keep my key fob and continue using that for two-factor authentication on both PayPal and eBay, thank you very much,” Krebs wrote.

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

5 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

6 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

7 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

8 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

11 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

12 hours ago