{"id":7200,"date":"2026-02-20T07:00:00","date_gmt":"2026-02-20T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7200"},"modified":"2026-02-20T07:00:00","modified_gmt":"2026-02-20T07:00:00","slug":"paypal-launches-latest-struggle-to-get-rid-of-sms-for-mfa","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7200","title":{"rendered":"PayPal launches latest struggle to get rid of SMS for MFA"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>When PayPal started emailing customers this month that it was backing off unencrypted SMS for multifactor authentication (MFA) at login, it came with the typical approach-avoidance asterisk.<\/p>\n<p>The financial services giant signaled that it was turning the page on the much-maligned authentication method while simultaneously offering no timeline and assuring customers SMS wouldn\u2019t entirely go away \u2014 a curious strategy that could help smooth over customer loss.<\/p>\n<p>SMS has <a href=\"https:\/\/www.csoonline.com\/article\/566075\/why-sms-banking-is-still-a-bad-idea.html\">a long history<\/a> of <a href=\"https:\/\/www.csoonline.com\/article\/567203\/why-unauthenticated-sms-is-a-security-risk.html\">opposition from security executives<\/a>, mostly pointing to how easily it can be sniffed and subject to man-in-the-middle attacks, <a href=\"https:\/\/www.csoonline.com\/article\/4070281\/clayrat-spyware-turns-phones-into-distribution-hubs-via-sms-and-telegram.html\">among others<\/a>.\u00a0As a result, <a href=\"https:\/\/www.bitdefender.com\/en-us\/blog\/hotforsecurity\/google-drops-sms-gmail\">Google has backed off SMS<\/a>, as <a href=\"https:\/\/www.vissensa.com\/blog\/microsoft-mfa-microsoft-to-remove-sms-multi-factor-authentication\/\">has Microsoft<\/a>, <a href=\"https:\/\/documentation.meraki.com\/Platform_Management\/Product_Information\/Privacy%2C_Security%2C_Compliance\/Overview_and_FAQ%3A_Cisco_Meraki_SMS_MFA_Deprecation\">Cisco<\/a>, and even the <a href=\"https:\/\/www.bankinfosecurity.com\/uae-central-bank-tells-fis-to-drop-sms-otp-authentication-a-28589\">United Arab Emirates Central Bank<\/a>.<\/p>\n<p>\u201cSMS as an authentication factor is devil spawn and should be banned by an act of Congress,\u201d says <a href=\"https:\/\/www.linkedin.com\/in\/gwlongsine\/\">Gary Longsine<\/a>, CEO at IllumineX, encapsulating the frustration of many security specialists.<\/p>\n<p>Still, SMS remains, largely due to convenience, given that many business executives fear any change to MFA processes will be viewed as friction that could lead to customer loss or reduced engagement.<\/p>\n<p>\u201cThey don\u2019t want to lose users who won\u2019t do anything other than SMS as a second factor,\u201d says cybersecurity consultant <a href=\"https:\/\/formergov.com\/directory\/brianlevine\">Brian Levine<\/a>, a former federal prosecutor who today serves as executive director of FormerGov. \u201cAlthough app-based MFA is generally considered more secure than SMS-based MFA, not all users are willing to take the time to set up app-based MFA, so making it an absolute requirement tends to result in fewer conversions.\u201d\u00a0<\/p>\n<p><a href=\"https:\/\/youattest.com\/our-team\/\">Garret Grajek<\/a>, CEO of access certification firm YouAttest, has experienced this business unit pushback directly.<\/p>\n<p>\u201cWe designed a very strong authentication and the CISO loved it, but the security teams did not want to push back against user requests\u201d for unencrypted SMS, he says, adding that a business unit executive argued that the security boost \u201cis going to cost us money.\u201d<\/p>\n<p>\u201cI feel sorry for PayPal because they [are a victim of] the battles that go on in business units versus security. And security doesn\u2019t always win,\u201d he adds.<\/p>\n<h2 class=\"wp-block-heading\">Muddled effort, mixed messages<\/h2>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/fvillanustre\/\">Flavio Villanustre<\/a>, CISO for the LexisNexis Risk Solutions Group, says he\u2019s \u201calways found it odd\u201d that PayPal still supports SMS as its primary secondary authentication factor.<\/p>\n<p>\u201cEveryone in financial services and government has abandoned it for not being sufficiently secure and are moving to even phishing-resistant authentication, such as passkeys, Yubikeys,\u201d he explains.<\/p>\n<p>PayPal\u2019s shift was announced via email sent to some customers earlier this month. \u201cStarting March 2026, we\u2019ll start removing SMS codes [for login MFA] but they\u2019ll still be available as part of our standard security checks,\u201d PayPal\u2019s email said.\u00a0<\/p>\n<p>PayPal\u2019s reference to standard security checks refers to when its system, leveraging behavioral analytics, flags a customer interaction as potentially fraudulent based on factors such as transaction size or deviation from historic patterns.\u00a0<\/p>\n<p>Still, Grajek finds PayPal\u2019s decision to keep SMS in use for fraud checks to be odd. When the system flags a potential problem, he says, \u201cyou want to do a higher level [of authentication]. Why would you de-escalate [to a lower level of authentication]?\u201d\u00a0<\/p>\n<p>PayPal\u2019s customer email said the company would \u201cstart removing\u201d SMS in March, but how long that process will take is unclear. Logistics is one factor, as these communications are going to a global customer base of roughly 439 million people and businesses. PayPal will batch those messages over an extended time.<\/p>\n<p>PayPal will likely also assess customer reaction, giving itself flexibility by not committing to a firm end date. PayPal declined to comment on the record for this story.<\/p>\n<p>PayPal\u2019s email suggested that customers switch their MFA method to an authenticator app or a onetime-password-issuing fob such as those compliant with FIDO2 security keys. Strangely, the email instructed security key users to \u201cPut the device into your USB slot and you\u2019re all set,\u201d despite the fact that mobile devices communicate with keys via NFC or mobile connectors, not via USB slots, and most users transact with PayPal via mobile devices.<\/p>\n<p>The PayPal email also instructed customers to \u201cupdate your verification method at paypal.com. Log in to your account and use the gear icon to go to security settings and update your 2-step verification.\u201d The problem? When the email was received, that security page offered no direct way to make the change.\u00a0<\/p>\n<p>Customer service suggested to customers that they could deactivate MFA entirely and then reactivate it. That less-than-secure option did work and the user was then able to make the change. Further testing revealed that a user could click the \u201cadd a new device\u201d button, even if they had no intention of adding a new device. That also presented a screen where the customer could change their MFA method.\u00a0<\/p>\n<p><a href=\"https:\/\/moorinsightsstrategy.com\/team\/melody-brue\/\">Melody Brue<\/a>, principal analyst for Moor Insights &amp; Strategy, says using SMS can still be valuable for some isolated situations, but that PayPal appears to be trying to have it both ways.<\/p>\n<p>\u201cIt sounds to me that they are trying to soften the blow of saying \u2018SMS isn\u2019t safe enough.\u2019 They are saying that you can\u2019t use it to verify who you are unless we are worried that you are not you,\u201d Brue says. \u201cThey are clearly actively inching away from SMS. They have to do that. They have to align with new standards. In financial services you don\u2019t even want to mess around with\u201d SMS.<\/p>\n<h2 class=\"wp-block-heading\">Financial cost of SMS may be final straw<\/h2>\n<p>But Brue also referred to another reason PayPal may be stepping back from SMS authentication: cost reduction. Sending SMS messages involves hard costs for PayPal, whereas telling customers to authenticate with a FIDO2 key or an authenticator app is free for the company.<\/p>\n<p>The cost of individual SMS messages is low \u2014 for example, <a href=\"https:\/\/aws.amazon.com\/sns\/sms-pricing\/\">AWS charges a fraction of a penny<\/a> for each message. But given that PayPal handles about 25 billion transactions a year, those fractions quickly add up.<\/p>\n<p>Also, attackers test PayPal systems routinely \u201cand they can trigger millions of SMS codes,\u201d Brue adds. \u201cFor a company <a href=\"https:\/\/247wallst.com\/investing\/2026\/02\/13\/paypal-stock-falls-31-as-new-ceo-inherits-execution-crisis\/\">under new leadership and especially margin sensitive right now<\/a>, sending millions of codes to bots that are not needed? That is an easy line to cut and it\u2019s an OPEX win.\u201d<\/p>\n<p><a href=\"https:\/\/acceligence.com\/talent\/profiles\/justin-greis\/\">Justin Greis<\/a>, CEO of consulting firm Acceligence and former head of the North American cybersecurity practice at McKinsey, says his main concern with SMS authentication is \u201c<a href=\"https:\/\/www.csoonline.com\/article\/4022848\/7-obsolete-security-practices-that-should-be-terminated-immediately.html\">SIM swapping, SIM jacking<\/a> \u2014 we have seen that go up.\u201d<\/p>\n<p>\u201cPayPal is one of the most spoofed and spammed emails out there,\u201d he adds.<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/steveneric\/\">Steven Eric Fisher<\/a>, an independent cybersecurity and risk advisor who served as the director of cybersecurity, risk, and compliance for Walmart until August 2025, agrees about SMS\u2019s many authentication drawbacks, dubbing SMS \u201ca very low bar of protection.\u201d But he is less enthusiastic than most about authenticator apps.\u00a0<\/p>\n<p>Authenticator apps \u201care only marginally better than SMS. Each has its own faults,\u201d Fisher says. \u201cFIDO2 is the best option from a security standpoint but end user adoption\u201d may slow down because the customer has to pay for each FIDO2 device \u201cas well as [experience] the difficulty placed on the user for the enrollment and use.\u201d\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>When PayPal started emailing customers this month that it was backing off unencrypted SMS for multifactor authentication (MFA) at login, it came with the typical approach-avoidance asterisk. The financial services giant signaled that it was turning the page on the much-maligned authentication method while simultaneously offering no timeline and assuring customers SMS wouldn\u2019t entirely go [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7179,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7200","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7200"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7200"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7200\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7179"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7200"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7200"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7200"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}