I'm glad this was found independently and reported. While I was at PayPal I had started email threads about it but nothing was done. I am sure I was not the only one there who "discovered" this. For instance, even if you have 2FA you can add PayPal to Uber as if you never had 2FA.
The other big issue with their 2FA authentication is that it really isn't two factor. You can say you don't have the token and instead can answer security questions. Two factor is supposed to be something you know plus something you have. "Falling back" to security questions is basically just relying on things you know.
I would think that, if you have a big fraud-detection engine like Paypal's in place, 2FA isn't so much an enforced requirement for login, as it is a big fraud-signal when the user chooses to circumnavigate it.
Like any other fraud-signal, though, it can be countered with enough evidence that you are who you say you are--with security questions at a weak level (maybe enough to counter a 2FA token that was only set up a few days ago), or with demands for scanned photo ID at a higher level (if you use 2FA all the time.)
If there is no legitimate reason to circumnavigate 2FA, i.e. the S/N of detecting fraud by detecting circumnavigation is 1.0, why not just automate the anti-fraud enforcement and make the circumnavigation impossible?
Yes, I've contacted PayPal before and asked them for a user setting to be able to disable the 2FA fallbacks, but they don't really seem to care that much for security. I hope someone from PayPal Security team reads this and considers implementing this change.
I was also thinking that the community should start calling this type of implementation 2FAil, to give the companies a little extra 'shame peer pressure'... Anyone up for making a logo, heartbleed-style? :)
The other big issue with their 2FA authentication is that it really isn't two factor. You can say you don't have the token and instead can answer security questions. Two factor is supposed to be something you know plus something you have. "Falling back" to security questions is basically just relying on things you know.