PayPal phasing out Symantec VIP Access

I tried to add a new virtual security key, provided by Symantec’s “VIP Access” smartphone app, to my PayPal account. However, it didn’t work as it used to work, by visiting this link. I only got an error message saying:

“We’re sorry. There’s been an intermittent communication problem. Please try again later.”

To me that sounds like PayPal’s portal needs to communicate with Symantec’s back-end for VIP Access, and there is something wrong.

So I wrote a message to PayPal support, and this is what I got:

“Since last year you only can use a mobilephone number for security keys. Old Keys produced by the VIP Access App still can be used but no new one can be registered. Sadly I have no timeframe how long you can use the registered app keys before they were invalid too.”

It is really very disappointing that they migrate away from this very secure and privacy-concious solution to an inferior one, because it is

  • privacy-intrusive (they require your mobile phone number to send you the one-time code) and
  • definitely less secure (mobile-phone based one-time codes have been demonstrated to be easily interceptable for skilled hackers!)

If you oppose this change, please approach PayPal and voice your concerns.

13 thoughts on “PayPal phasing out Symantec VIP Access”

    1. Thanks for letting me know.

      It’s indeed very interesting to learn that Symantec VIP access, when used with these one-time pins, is basically the same thing as the well-known standard solution we have all been using with Google Authenticator.

      But I think you may not be getting the point.

      My post is about registering new Symantec VIP keys (so it also applies to the alternative client solution you pointed to). And as the alternative client is just another client, the decommissioning of the back-end integration with Symantec’s solution will render all clients useless, regardless whether genuine Symantec VIP or alternative clients. 🙁

  1. I have just registered my Symantec Key on PayPal and it worked fine without any issues.
    I previously had another phone which I registered back at the end of 2017 and I now have a new phone which I just now registered which is also working using the Symantec App.
    Now sure how yours is not working.

    1. Interesting. Thanks very much for letting me know.

      Then obviously PayPal support lied to me, and my original suspect that a maximum of 10 keys can be registered seems to be true (as I currently have already 10 keys registered, and I’m trying to add another one). Strangely, you can only “deactivate” keys, but you can’t “delete” them. Maybe I need to ask support to delete the deactivated keys…

    2. Same here. I discovered this page while searching for a way to get VIP Access set up with PayPal on a new phone. I figure the link provided above wouldn’t get me anywhere, but I tried it anyway and it worked fine. So, thank you for that! Now I have both keys active, since I plan to keep my old iPhone 6 Plus around for a while.

      1. Glad to hear it works for you guys — but then it seems clear that “my” problem must be due to the number of keys I’ve registered. I’ve got “10”, which is not a typical number an IT guys would choose, but maybe some UX designer defined it…

        Anyway, I will continue to pester PayPal with it…

        Stay stuned…

  2. Hi Ralf, I have the same problem (and concerns as you). Did you get any further with PayPal on this issue? Regards, Clive.

    1. Hi Clive.

      PayPal Support now claimed they can’t delete security keys off my account. I’ve now asked again about the “intermittent communication problem” I’m constantly getting. Let’s see, maybe I reach a support guy with a clue…

      I’ll keep you posted…

      Kind regards,

      Ralf

  3. Ok, it is now clear that PayPal is not telling me the truth… 🙁

    Today I received a response from their support as follows:


    The only way of security verification that is still actively supported and serviced for German PayPal accounts is the security key reception via SMS.
    The old security key hardware can still be used if its has already been activated – but it cannot be replaced and cit cannot added anew.

    i just checked with my wife’s (GERMAN!) account that she still CAN add a new key to their account, so PayPal’s above statement is simply wrong. I’ve gotten in touch again with them, telling them about my finding, and asking them AGAIN to delete the disabled keys from my account so that I have less than 10, and can register a new key.

    Let’s see how the respond. I’m ready to escalate this to the media, because I’m sick of being treated like sh*t…

  4. I know this is not very helpful, but I just did a little experiment. I am also at 10 security keys, which includes a bunch of long-gone VIP serial numbers and a couple of mobile phone numbers. The experiment I did was to try to add another phone number.

    That failed with the error message “You’ve reached the maximum number of security keys. Remove a security key to add another.” But, as is well-known, there is no option to remove a security key. So, at least in the web app, 10 is some kind of limit.

    You can try this experiment yourself even if you don’t have an extra mobile number laying around. It fails before actually trying to send the security code SMS.

    1. Bill, actually this experiment is very helpful, as it a) confirms my suspicion, and b) gives me a way to put more pressure on PayPal, because using SMS-based 2FA is what they want me to use.

      FYI: I had escalated the case with PayPal (or at least I tried to do so by asking to involve a supervisor). The response I now got for the first time admits there’s a deliberate maximum of 10:

      “It is still possible to register VIP access security keys. Each PayPal account has a maximum of 10 keys. We can’t delete deactivated keys. Due to that you can’t register new keys in your account.”

      I’ve asked them to involve 3rd-level support to manually delete the keys from the database. Let’s see what they respond…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.