PayPal's 2FA Stopped Working for Weeks. Here's the 4-Minute Check to Verify Yours.
TL;DR - A security researcher discovered this week that PayPal was silently skipping the two-factor authentication step entirely. Correct username, correct password, and you were in. No code required. The toggle was on. It just was not doing anything. The same week, McDonald's hiring platform was found running on the password 123456 and a cPanel zero-day was actively being exploited. The pattern is identical: security feature visible, security feature broken, nobody noticed. Below: a 4-minute check that verifies 2FA on any account is actually working, plus what to do if you find one that isn't.
I was making coffee Tuesday morning and the PayPal 2FA bypass story hit my feed.
A security researcher had been able to log into PayPal accounts using only the correct username and password. No SMS code. No authenticator prompt. The accounts had 2FA enabled. The settings page showed it. The toggle was on. The login flow simply was not enforcing it. PayPal patched the issue within a few days of disclosure, but the silent gap had been there for weeks before anyone noticed.
Same week, two more stories with the same shape. McDonald's hiring platform McHire was running on the password 123456, protecting 64 million applicant records since 2019. cPanel - the control panel that runs millions of small-business websites - had a zero-day actively being exploited.
The common thread is not sophisticated hacking. It is that the security feature was present on paper and broken in practice, and nobody verified it.
This post is about the verification step. It takes four minutes per account. It is not paranoid. It is the only way to know whether the toggle you flipped six months ago is actually doing anything.
Why "I have 2FA enabled" is not the same as "2FA is working"
When you turn on 2FA, three things have to happen for the security to actually function:
- The setting gets saved to your account profile (the toggle).
- The login flow checks the setting on every login attempt.
- The verification step (SMS, authenticator app, hardware key) actually completes successfully before granting access.
Step 1 is what you can see in the settings page. Steps 2 and 3 are invisible to you unless you specifically test them. The PayPal failure was at step 2 - the system was reading the setting but not enforcing it. The McHire failure was at step 1 (no 2FA at all, just a default password).
The only way to confirm all three steps work is to trigger a 2FA challenge and watch what happens. Not check the toggle. Trigger the flow.
The 4-minute verification check
Do this for every account where a breach would actually hurt you. Banking, email, password manager, cloud storage, payment platforms, and your work identity provider are the priority list.
1. The fresh-browser login test (60 seconds)
Open a private/incognito browser window. Go to the account login page. Enter your correct username and password.
You should see a 2FA prompt before you reach the dashboard. Authenticator code, SMS code, hardware key tap, push notification - whichever method you set up.
If you go straight to the dashboard without a 2FA prompt, your 2FA is either disabled or broken. This is exactly what PayPal users were experiencing this week. Do not trust the settings page; trust what the login flow actually does.
2. The wrong-code test (60 seconds)
If you got the 2FA prompt, type a deliberately wrong code (six random digits or a stale code from earlier in the day).
You should be rejected with an error and prompted to try again. If a wrong code lets you through, the 2FA enforcement is broken even though the prompt rendered. This is rare but worth catching.
3. The recovery-code accessibility check (60 seconds)
Find your account's saved 2FA recovery codes. They should be stored somewhere safe and accessible (password manager, printed copy in a safe). If you cannot find them in 60 seconds, you have a future-you problem - the moment your phone is lost or stolen, you are locked out of the account.
If you do not have recovery codes saved, generate fresh ones now. Most platforms regenerate them on demand from the security settings.
4. The recovery-method audit (60 seconds)
Check what recovery methods are listed on the account. Email, phone number, backup email, recovery questions.
Three things to verify here:
- The recovery email is one you currently control (not a deprecated address from a previous job).
- The recovery phone is a number you currently use (not a SIM you cancelled three years ago).
- Recovery security questions, if present, do not have answers that are publicly findable on your social media.
A weak recovery path is what defeats strong 2FA in practice. Attackers do not break the 2FA - they trigger an account-recovery flow that bypasses it.
Account-specific quirks worth knowing
Not every platform behaves the same way. Three to call out specifically:
PayPal is the one that broke this week, and even after their patch I would re-test in incognito to confirm. Worth doing the same on Stripe, Square, and any payment processor you use.
Email accounts (Gmail, Outlook, Fastmail, ProtonMail) are the highest-stakes 2FA target you have, because email is the recovery vector for everything else. Test these first. Also check your "trusted devices" list and remove anything you do not recognise or no longer use.
Banking and superannuation in Australia tend to use SMS 2FA, which is the weakest of the common methods (SIM-swap attacks). If your bank offers an authenticator-app option, switch to that. If they only offer SMS, make sure your carrier has a SIM-swap PIN set on the line.
What to do if you find your 2FA is not working
You have two options, in order of urgency:
1. Disable and re-enable. On the affected account, turn 2FA off, log out, log back in (you should now log in with just password - that is the broken state confirmed), then turn 2FA back on with a fresh setup. Re-test using the four-minute check. This often fixes the broken-state bug because it forces the platform to re-link your authenticator.
2. Change the password. If 2FA was not enforcing for a period of weeks (PayPal-style), assume an attacker could have logged in during that window. Change the password to something fresh, sign all sessions out, and watch the account for unfamiliar activity for the next 30 days.
For high-stakes accounts, also check the login activity log for any sessions you do not recognise. Most modern platforms surface this under "Security" or "Recent activity".
Travel hygiene that prevents the problem upstream
Beyond per-account verification, three habits stop most 2FA failures from mattering:
Use an authenticator app, not SMS, wherever possible. Authenticator apps (Google Authenticator, Authy, 1Password's built-in TOTP, your password manager's TOTP) generate codes locally and survive a SIM swap. SMS codes do not.
Use a hardware key on the highest-stakes accounts. YubiKeys and Apple's hardware-key support are still the strongest 2FA option. They cost about $50 and they completely defeat phishing-based 2FA bypasses (because the key only authenticates to the real domain).
Rotate the four-minute check quarterly. Set a calendar reminder. Once every three months, run the check across your top 10 accounts. The check itself takes 40 minutes for 10 accounts. The damage from one missed broken-2FA gap is years of cleanup.
The mental shift
Most people treat 2FA as a one-time setup task. You enable it, see the toggle is on, move on. The PayPal incident this week proves that is not enough. Security features can break invisibly. The toggle being on tells you what was configured; the login flow tells you what is enforced.
If you only do one thing differently after reading this, run the fresh-browser login test on your email account in the next ten minutes. If you go straight to the inbox without a 2FA prompt, the setting is not doing what you think it is doing - and email is the master key to nearly everything else you own.
FAQ
How can a major company like PayPal silently break their own 2FA?
Login flows are usually a chain of conditional checks: read the user record, check whether 2FA is enabled, route to the correct verification method, check the verification result. A code change to any one step can short-circuit the chain. Modern auth systems are tested heavily, but no test catches every configuration combination, and platforms ship changes constantly. The PayPal break was a regression in their authentication code that did not get caught by their automated tests for the period the bug was live.
Is SMS-based 2FA worth using if it is the only option?
Yes - any 2FA is dramatically better than no 2FA. SMS is the weakest of the methods because of SIM-swap risk, but it still defeats most credential-stuffing attacks. If a service only offers SMS, enable it. Then ask the service when authenticator-app support is coming. If you have a bank that only offers SMS, set a SIM-swap PIN with your carrier as a compensating control.
What is the difference between 2FA and passwordless authentication?
2FA is two-step: password plus a second factor. Passwordless authentication is one-step: a hardware key, biometric, or magic link replaces the password entirely. Passwordless options (passkeys, FIDO2 hardware keys, Apple/Google passkeys) are stronger than password+2FA when the platform supports them, because there is no password for an attacker to phish. Adopt passwordless on any account that offers it - email, password manager, banking are the priority list.
Should I use the same 2FA method across all my accounts?
Use authenticator app for most accounts (consistency). Use a hardware key for your password manager, email, and any cloud admin account (highest stakes). Avoid SMS where you have a choice. The reason for variation is risk-tier: a hardware key on every account would be ideal but most people will not maintain it consistently; authenticator-app default is the best practical compromise.
Can attackers bypass 2FA with a phishing attack?
Yes for SMS and authenticator-app codes (the attacker proxies the login through their own page in real time and captures the code). No for hardware keys with FIDO2 (the key only authenticates to the real domain - the phishing site fails). Modern phishing kits (the AiTM family) routinely defeat authenticator-app 2FA. This is why hardware keys matter for high-stakes accounts.
How often should I re-test 2FA on my accounts?
Quarterly for the top 10 most-important accounts (email, password manager, banking, cloud, payment processors, work identity). Annually for everything else with 2FA. Whenever a major news story breaks about a platform you use silently breaking 2FA - those are the moments worth running the check immediately.
What if my account does not offer 2FA at all?
That is the McHire situation - 64 million records sitting behind a default password because the platform never offered 2FA in the first place. Your options are: pressure the platform via support tickets and public posts, use a unique long password generated by a password manager (so the account is at least not credential-stuffed), and minimise the data you put into accounts that lack 2FA. If it is a critical account (banking, identity), consider whether the platform's lack of 2FA is a reason to switch providers.
If this was useful, the Secure In Seconds newsletter covers one specific story like this every Thursday. Practical, calm, no fear-mongering. Just the thing to do this week.
Stay safe out there.
