When eBay rolled out the PayPal Security Key earlier this year, its executives hailed it as an important measure that would make users more secure. And it was. By generating a random, six-digit number every 30 seconds that users needed to authenticate themselves online, the small electronic token provided an additional layer of protection against phishers and other online criminals.

Yey Two Factor Auth!

But according to Chris Romero, an IT administrator who has used the Security Key for several months now, a bug could allow phishers and others with bad intent to work around the measure. When accessing his PayPal account from merchant sites and other third-party destinations, he says, his account is validated when he types in any six-digit number, as long as he provides a valid user id and password and answers an accompanying security question.

Oops! Not good. And now for the money shot!

Update
The aforementioned spokeswoman said on Thursday that over the past 24 hours PayPal security people are now able to reproduce the bug and are working on a fix. As we noted above, she said the flaw shouldn't be regarded as significant security risk because users are still required to enter a password and enter a security question

Are you kidding me? Your two factor auth isn't two factor anymore! The whole point is stealing someone's password doesn't grant access to the account because the attacker must also physically possess something. Only PayPal messed up and you don't need to possess anything. That is a radical backstep in security and some silly marketing chick is telling people its not an issue? Are you kidding me? Is that PayPal's official position?

WOW! Just... WOW.