Two Factor Authentication
Two factor authentication (2FA) is a good thing.
A password is secure, as far as it goes. Only you know it. So only you can log in.
But if someone else learns your password, they can log in. So you add a second factor. As well as something you know (your password) you need something you have in order to log in. This may be your mobile phone, or a small gadget to generate a passcode.
This is an especially good idea for any website that may cost you something - mobile banking, for example.
SMS versus Apps
Some applications will use SMS text messages for this - they'll text a code to your mobile cell phone, and you need to enter that code after your password. This is good as far as it goes. But you have to be within mobile phone range for the text message to arrive. You have to wait for it to come (and, from experience, some websites routinely take up to 5 minutes). And the banking industry is moving away from SMS for 2FA, because it's been shown to be vulnerable to interception flaws, most notably so-called "sim-swap fraud".
So most websites also let you use an app to generate a unique code every 30 seconds. When you sign a new website up for the app, the website generates a unique code to identify you. You can either type it in by hand, or scan a QR code. The app then stores this code, and combines it with the current time stamp. Pass this through a secure cryptographic algorithm and you get a unique code to enter into the website after your password.
PayPal doesn't use the standards that work with these authentication apps.
They used to offer you the chance to use a physical authentication key instead, where you press a button and it generates a unique code. But why would they force you to buy a physical token when an app works just as well?
But there was another way to do this. You could install the Symantec VIP app instead. When you run it on your phone, it displays a unique serial number, and generates a 6-digit code every 30 seconds. This will do as a security token as far as PayPal is concerned - you can use that serial number and those 6 digit codes just as you'd use the corresponding things on a physical token.
At least, you could. Until they moved PayPal over to a new web interface. Now, you add 2FA by going to Settings > Security > Security Key - and the only option you're given is to add a mobile phone number.
So that's it? SMS or nothing?
Enter PayPal — now they use a new web interface
Step 1: Log in to your PayPal account as normal. Make sure you check the box to stay logged in, if you're given the option.
Step 2: Visit this link: https://www.paypal.com/us/cgi-bin/webscr?cmd=_setup-security-key
Step 3: You'll be taken to the screen to add either a mobile phone or a security key on the old style PayPal interface. Choose "security key", and you can still set up a physical security key or the Symantec VIP app, just as you used to be able to.
At least, it works for the time being.
Hopefully PayPal won't disable this, not until they finally support the same authentication app protocols as every other website I use.