Paypal is so strict that even if one knew the password and email they could still could not spend. Paypal forces phone verification if they don't like the IP, which is very common. The phone must match the ID of the paypal account holder, so using a throwaway number will not work.
Probably weird arbitrary rules around legacy systems... I don't know about PayPal specifically, they're really too young that it shouldn't be an issue. I know other banks with account federation have had some systems running that are severely limited. It's weird all the way around tbh.
I do hope the new NIST recommendations get more weight moving forward, but banking tends to rely on other authentication/validation routes beyond just the password to strengthen things. Which is probably okay.. unless your device is found, and not password protected itself, with a relatively secure password. Even then...
2FA would be great, so long as SMS isn't the only option every time. I've moved to a much more tech savvy bank these days, but there was a long while were my bank's website was, by a hilariously wide margin, the least secure website that I regularly visited. It was in fact one of my reasons for switching banks (the other reasons are not relevant here).
How strict? I've accidentally used my PayPal account whilst connected to a (out of country) VPN more than one and never had it raise any flags, and I've _never_ had phone verification for a purchase.
