1 post
SMS 2FA on PayPal is a routing decision, not a credential. The session cookie is the boundary, and attackers have already routed around the factor.