When PayPal started emailing customers this month that it was backing off unencrypted SMS for multifactor authentication (MFA) at login, it came with the typical approach-avoidance asterisk.
The financial services giant signaled that it was turning the page on the much-maligned authentication method while simultaneously offering no timeline and assuring customers SMS wouldn’t entirely go away — a curious strategy that could help smooth over customer loss.
SMS has a long history of opposition from security executives, mostly pointing to how easily it can be sniffed and subject to man-in-the-middle attacks, among others. As a result, Google has backed off SMS, as has Microsoft, Cisco, and even the United Arab Emirates Central Bank.
“SMS as an authentication factor is devil spawn and should be banned by an act of Congress,” says Gary Longsine, CEO at IllumineX, encapsulating the frustration of many security specialists.
Still, SMS remains, largely due to convenience, given that many business executives fear any change to MFA processes will be viewed as friction that could lead to customer loss or reduced engagement.
“They don’t want to lose users who won’t do anything other than SMS as a second factor,” says cybersecurity consultant Brian Levine, a former federal prosecutor who today serves as executive director of FormerGov. “Although app-based MFA is generally considered more secure than SMS-based MFA, not all users are willing to take the time to set up app-based MFA, so making it an absolute requirement tends to result in fewer conversions.”
Garret Grajek, CEO of access certification firm YouAttest, has experienced this business unit pushback directly.
“We designed a very strong authentication and the CISO loved it, but the security teams did not want to push back against user requests” for unencrypted SMS, he says, adding that a business unit executive argued that the security boost “is going to cost us money.”
“I feel sorry for PayPal because they [are a victim of] the battles that go on in business units versus security. And security doesn’t always win,” he adds.
Muddled effort, mixed messages
Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group, says he’s “always found it odd” that PayPal still supports SMS as its primary secondary authentication factor.
“Everyone in financial services and government has abandoned it for not being sufficiently secure and are moving to even phishing-resistant authentication, such as passkeys, Yubikeys,” he explains.
PayPal’s shift was announced via email sent to some customers earlier this month. “Starting March 2026, we’ll start removing SMS codes [for login MFA] but they’ll still be available as part of our standard security checks,” PayPal’s email said.
PayPal’s reference to standard security checks refers to when its system, leveraging behavioral analytics, flags a customer interaction as potentially fraudulent based on factors such as transaction size or deviation from historic patterns.
Still, Grajek finds PayPal’s decision to keep SMS in use for fraud checks to be odd. When the system flags a potential problem, he says, “you want to do a higher level [of authentication]. Why would you de-escalate [to a lower level of authentication]?”
PayPal declined to comment on the record for this story, but a PayPal official did discuss elements of the company’s SMS decision under the condition of not being identified.
PayPal’s customer email said the company would “start removing” SMS in March, but how long that process will take is unclear. Logistics is one factor, as these communications are going to a global customer base of roughly 439 million people and businesses. “We will batch it out over a long time,” the PayPal official stated.
PayPal will likely also assess customer reaction, giving itself flexibility by not committing to a firm end date.
PayPal’s email suggested that customers switch their MFA method to an authenticator app or a onetime-password-issuing fob such as those compliant with FIDO2 security keys. Strangely, the email instructed security key users to “Put the device into your USB slot and you’re all set,” despite the fact that mobile devices communicate with keys via NFC or mobile connectors, not via USB slots, and most users transact with PayPal via mobile devices.
The PayPal email also instructed customers to “update your verification method at paypal.com. Log in to your account and use the gear icon to go to security settings and update your 2-step verification.” The problem? When the email was received, that security page offered no direct way to make the change.
Customer service suggested to customers that they could deactivate MFA entirely and then reactivate it. That less-than-secure option did work and the user was then able to make the change. Further testing revealed that a user could click the “add a new device” button, even if they had no intention of adding a new device. That also presented a screen where the customer could change their MFA method.
Melody Brue, principal analyst for Moor Insights & Strategy, says using SMS can still be valuable for some isolated situations, but that PayPal appears to be trying to have it both ways.
“It sounds to me that they are trying to soften the blow of saying ‘SMS isn’t safe enough.’ They are saying that you can’t use it to verify who you are unless we are worried that you are not you,” Brue says. “They are clearly actively inching away from SMS. They have to do that. They have to align with new standards. In financial services you don’t even want to mess around with” SMS.
Financial cost of SMS may be final straw
But Brue also referred to another reason PayPal may be stepping back from SMS authentication: cost reduction. Sending SMS messages involves hard costs for PayPal, whereas telling customers to authenticate with a FIDO2 key or an authenticator app is free for the company.
The cost of individual SMS messages is low — for example, AWS charges a fraction of a penny for each message. But given that PayPal handles about 25 billion transactions a year, those fractions quickly add up.
Also, attackers test PayPal systems routinely “and they can trigger millions of SMS codes,” Brue adds. “For a company under new leadership and especially margin sensitive right now, sending millions of codes to bots that are not needed? That is an easy line to cut and it’s an OPEX win.”
Justin Greis, CEO of consulting firm Acceligence and former head of the North American cybersecurity practice at McKinsey, says his main concern with SMS authentication is “SIM swapping, SIM jacking — we have seen that go up.”
“PayPal is one of the most spoofed and spammed emails out there,” he adds.
Steven Eric Fisher, an independent cybersecurity and risk advisor who served as the director of cybersecurity, risk, and compliance for Walmart until August 2025, agrees about SMS’s many authentication drawbacks, dubbing SMS “a very low bar of protection.” But he is less enthusiastic than most about authenticator apps.
Authenticator apps “are only marginally better than SMS. Each has its own faults,” Fisher says. “FIDO2 is the best option from a security standpoint but end user adoption” may slow down because the customer has to pay for each FIDO2 device “as well as [experience] the difficulty placed on the user for the enrollment and use.”