How To use TOTP with your PayPal account

There is already a fantastic guide on Medium which shows you how you use Paypal together with Time-based One-time (short: TOTP), sadly it’s outdated so I decided to write an updated and tested guide on my own.

PayPal OTP

What is TOTP and why you should use it?!

A time-based one-time password (TOTP) is a temporary passcode, generated by an algorithm, for use in authenticating access to computer systems. The specifications are given in RFC 6238.

The algorithm generates each password uses the current time of day as one of its factors, ensuring that each password is unique. Time-based one-time passwords are commonly used for two-factor authentication and have seen growing adoption by cloud application providers such as GitHub, Mozilla or Google. In two-factor authentication scenarios, the end-user (you) must enter a traditional, static password and a TOTP to gain access. KeePassX and forks usually supporting TOTP via plugins or even native.

Time-based one-time passwords provide additional security because even if a user’s traditional password is stolen or compromised, an attacker cannot gain access without the TOTP, which changes every 30 or 60 seconds.

Requirements

  • A TOTP generating app program e.g. KeePassXC for desktop, andOTP on Android.
  • A running Linux machine connected to the internet. A VirtualMachine or a LiveCD works great since you won’t have to clean up anything after you’re finished.

Enabling TOTP

  • You need python-pip and git – the command to install them depends on your OS, on Ubuntu it’s: sudo apt install python-pip git qrencode
  • Clone this repository – it includes fixes that prevent the original package “vipaccess” from working and has some other improvements: git clone https://github.com/dlenski/python-vipaccess.git
  • Now enter the directory that got pulled: cd python-vipaccess
  • Install vipaccess, this will install all dependencies via pip as well: pip install . Usually, Python (2.7+) comes already with pip (you can select/unselect it during the installation).
  • Since we’re not installing the packages as superuser, vipaccess won’t be included in PATH, but that’s fine. Let’s go back to our home folder: cd ..
  • Generate your Tokens – you need an active internet connection: .local/bin/vipaccess provision -p -t VSMT
  • The command should succeed:

7-success

Copy the otpauth:// URL:

8-copyotpauth

For mobile use: Generate a QR code, replace otpauth://XXX with the otpauth:// URL you just copied: qrencode -o qr.png 'otpauth://XXX'

9-genqr

This will produce qr.png sitting in your home directory. You can scan this QR code with any TOTP compatible app, I recommend andOTP for Android. If you want to generate the tokens on a desktop PC, you could use KeePassXC. The secret is included in the othauth:// URL, it’s what follows secret=

Our last step is to copy the ID that starts with VSMT:

10-copyid

  • Log into your PayPal account, then visit: https://www.paypal.com/webscr?cmd=_setup-security-key
  • Select “Activate your security key”.
  • Paste the ID that starts with VSMT into the serial number field.
  • Paste two Tokens that got generated by your TOTP app into the following fields.
  • Be sure to reset the VM or shutdown the Live disk, since your private keys are in the clipboard and shell history.

Closing Words

The entire process doesn’t take more than 20 minutes maximum. It really easy to increase your security setup while using PayPal.

Comments are closed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: