Issue with PayPal and Two-Factor Authentication Using Safari as Authentication App

Hi cloudres, I also have the same issue. I've had this for some time, and as you say it ONLY happens on the PayPal website. (I guess there could be other sites that I don't personally use.)

In my case, the last digit entered into the 6 boxes by Safari is actually always a repeat of the first digit of the verification code. So if in Keychain the current code is '123456' then copying/pasting this into Safari works fine, but if selecting the 'autofill' option in Safari to it populates automatically, it enters '123451' and that then fails.

Interestingly, I have found that if I delete the values from the 6 boxes before clicking 'Continue' and then try the pre-population ('autofill') option again, then it does actually enter the correct code the second time and it works. Hence why I am not totally convinced it's a PayPal issue on it's own, as if it was a problem with the tags or something in the page itself, I wouldn't expect that to be changing when I retry the second time.

I have found on some sites (PayPal previously, but also Amazon) that if you press 'enter' after selecting the autofill option, then the verification appears to fail. However, in testing this appears to be because some sites automatically try to log you in after you tab out of the last digit field or once the length of the code has reached 6 digits, so the effect of pressing enter also means the site thinks you've pressed enter twice and it then is trying to validate against a second authentication code, but the code autofilled is the first code. Now, I just wait to see if the site auto-commits, and if not then press enter manually.

You need to delete all 6 boxes and then re-enter the code in full, then it puts the correct code in the second time. My assumption is if you only delete the last digit, then when you try to autofill it 'starts again' entering the code from the start which is why it looks wrong.

It's definitely very weird, as the other 5 boxes (first 5) are always correct, it's only ever the last digit that is wrong, so I'm not entirely sure why it's missing out the 'real' 6th digit when entering the first time, it's like it looks round to the first digit again for some reason.

As others have suggested, this is obviously a problem with PayPal.

The only thing I can add is an explanation of how the problem happens. PayPal is probably doing something funky with Javascript. Safari sees a text field and provides data to it. But PayPal isn't actually reading the contents of the text field. It is monitoring your keystrokes. Since Safari isn't pushing keystroke events through the website, PayPal doesn't know that anything has been typed, even though the numbers are on the screen.

PayPal might claim that this is some kind of security protection. But the important thing here is that PayPal is sampling keystrokes. In theory, any website can do this. Most websites don't do this because they are only interested practical applications, like entering an authentication code. But some websites monitor every keystroke you enter on the site. This can be a security concern. Just so you know.

Just updated to Safari 17 and my first login to PayPal has worked fine, and I no longer see this issue! Not sure if it's directly related to the Safari update or whether PayPal have changed something, but it seems to work OK now without using the workaround.

@cloudres, not sure if you now see this fixed too, and if so are you using Safari 17?

Thanks for the very thorough info! They do need to fix it.

I think you need to be in software development to use the Apple bug tracker, but end user's can try 'feedback'. I've used it before, and it appears some of the bugs got fixed. Somebody will read it at the other end. You can link back to this forum as part of your feedback report; drop a link in there.

Feedback - Safari - Apple

Hi etresoft, thanks for the reply. However, I don't think that's the case as you can visibly see on the screen when the issue occurs that Safari is putting the wrong value in the text field. It's not just PayPal not understanding the code haas been entered or monitoring keystrokes, Safari is putting the wrong value into the text box itself, so when you click the 'Continue' button then PayPal receive that incorrect value and deny the logon.

I don't dispute the issue could be somehow JavaScript related, or indeed somehow related to the way in which the PayPal website has been built/configured (especially since it only seems to happen on this one site), but it's definitely an issue in the way the Keychain code is working out what to put where, caused either by an Apple bug in that code, or caused by something weird on the PayPal page/field tagging causing Safari to get confused. Either way, I'd say it's definitely a bug and not an issue with the website monitoring keystrokes.

As suggested by mischa43 I will try and submit a Safari feedback request, but may also raise a bug in the developer portal as clearly something isn't working correctly.

Yes, it works fine on my iPad and iPhone, it's only on my Mac where I see the issue. Mac is running Ventura 13.4.1 (fully up-to-date), but this was a problem on previous versions and at least the last full release of MacOS too. I noticed it some time ago, but the only reference to it on the web was cloudres posting about it, so until now I assumed it was just my machine.

Whilst the fill-delete-fill workaround does the trick, it's still annoying and is a hack rather than a fix. It's still unclear whether the issue is with PayPal or Apple, but given it works on all other devices and it works the second time data is filled without the PayPal webpage changing in any way, my immediate thoughts are it's an Apple issue in terms of how Safari recognises where to put the data. I've looked at the meta tags in the page itself and can't see any obvious problems or causes there, so it's unclear why this behaviour only shows up on this one website. No replies yet on the PayPal forum, but it would be ideal to be able to submit a user bug ticket to Apple, but unsure how to do that.

Same problem with macOS Monterey 12.6.7, old '15 Macbook Pro - Safari 16.5.2. The fill-delete-fill solution is a good workaround for now!

This problem doesn't occur on my new iPhone 14 Pro Max iOS 16.5.1, using Safari. Do the other users on this forum have older devices with prior macOS versions?? Please state your software versions.

This quirk may have been fixed with the latest software, that has 'Passkeys' support.

If you have a recent iDevice running iOS/ipadOS 16, try that using Safari. The verification code should work first try.

Over the past year or so, I too have occasionally encountered this type of “OTP auto-entry” behavior on a small number of web sites …

… in each case it was a developer error on the page itself.

Good luck w/ PayPal. 😉

One added data point / clarification…

In my own prior experiences with this - on iOS 15 - I was Auto-filling or C&P’ing directly from the keychain.

Autofill and C&P always failed; but directly typing the characters always worked.

So … similar … but distinctly different behavior detail-wise from this thread.