Two-factor authentication means something very specific these days-it is a secondary identity check at the point of every login or every new login that is intended to be a user controlled identity confirmation over and above a username and password. Their 2FA, which is called ‘Authflow’ on PayPal, is normally triggered when a user logs into their account from a new device, location or IP address.” Unfortunately for CyberNews, they described this as “two-factor authentication,” saying the team “was able to bypass PayPal’s phone or email verification, which for ease of terminology we can call two-factor authentication (2FA). In essence, it would work with phished credentials just as well as with stolen ones, and it links back to that bypassing of the system checks at the login point of the process. Essentially, they claim to have intercepted the backend data from the login process to prevent the backend system challenging the login attempt. CyberNews claims-and the company showed me a demonstration-that it can successfully login to an account using basic credentials on a new computer.
