Replacing Symantec Vip Access With A Generic TOTP App - r0k1s#i
r0k1s#i

Replacing Symantec Vip Access With A Generic TOTP App

Posted on Oct 20, 2024

Background

When adding 2 FA to Schwab, you will find that the options are limited to the following:

  • Notification to my mobile device
    • We’ll send a notification to your mobile device or open your mobile app to verify.
  • Text
    • We’ll send a code to a number in your profile.
  • Security token

Using the app itself for 2 FA is clearly not a good practice, and option two, SMS as 2 FA, is even worse.

Option three, the Security token, does not use the currently common TOTP scheme, but requires the use of the closed-source proprietary application “VIP Access” from Symantec .

Reasons for not using “VIP Access”:

  • The iOS version of VIP Access is too ugly.
  • VIP Access data does not support export or backup.
  • I prefer TOTP all in one in a single application.
  • It is inefficient to open different applications to find the TOTP code.
  • VIP Access is closed-source proprietary software.

Therefore, we need to find a way to convert the TOTP from Symantec’s “VIP Access” to a generic TOTP, so that it can be used with software and hardware like Google Authenticator, Authy, Yubikey, etc.

Installing and Using python-vipaccess

The main project: https://github.com/dlenski/python-vipaccess.

This project was developed by @cyrozap by reverse-engineering “VIP Access,” and later improved and maintained by @dlenski.

Risk Warning:

The code of this project pretends to be an old version of the Symantec VIP client for macOS, a version that Symantec no longer uses.

Therefore, if Symantec’s servers refuse to communicate with this old version of the application, this method will fail.

Historically, Symantec briefly disabled communication with this version of the client in May 2020, and may do so again at any time in the future.

However, even if it is disabled in the future, it will only prevent the conversion of new tokens; previously converted tokens should remain unaffected.

Quick Start

# Installation
pip3 install python-vipaccess

# For newer versions of Python
pipx install python-vipaccess 

# Generate a new token
vipaccess provision -p -t SYMC

You will see output similar to the following:

Generating request...

Fetching provisioning response...

Getting token from response...

Decrypting token...

Checking token...

Credential created successfully:

otpauth://totp/VIP%20Access:VSMT22195338?issuer=Symantec&algorithm=SHA1&secret=SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z&digits=6&period=30

This credential expires on this date: 2022-05-30T14:13:21.891Z

You will need the ID to register this credential: VSMT22195338

You can use oathtool to generate the same OTP codes

as would be produced by the official VIP Access apps:

oathtool -d6 -b --totp SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z # 6-digit code

oathtool -d6 -b --totp -v SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z # ... with extra information
  • VSMT 22195338 is the credential you need to submit to Schwab or other websites using Symantec VIP.
  • SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z is the secret token used to import into a generic TOTP application.
  • This output can be used to generate a QR code: otpauth://totp/VIP%20Access:VSMT22195338?issuer=Symantec&algorithm=SHA1&secret=SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z&digits=6&period=30.

Generating QR Code

I personally prefer to directly use the key to import into the TOTP application rather than using a QR code.

If you really want to generate a QR code, I recommend two methods:

Using qrencode to generate a QR code

Linux and macOS can easily install qrencode to generate QR codes.

qrencode -t ANSI256 'otpauth://totp/VIP%20Access:SYMC54313423?period=30&digits=6&issuer=Symantec&secret=5YKAUZA4I4RAIJIZBU4KME34XLODWEUX&algorithm=SHA1'

image

Windows has not been tested, so it’s unclear if it can be used directly with qrencode, but it should not be difficult with WSL.

If you encounter difficulties, I recommend using the following method to generate a QR code.

Using CyberChef to generate a QR code

CyberChef is known as the “The Cyber Swiss Army Knife”, providing hundreds of different “operations” for tasks such as encoding/decoding, encryption/decryption, data analysis, and more.

Using it to generate a QR code is naturally straightforward:

image

It runs entirely in the browser as a client application, meaning all data processing is done locally in the user’s browser without sending data to a server.

Of course, if you feel uneasy using someone else’s instance, it is recommended to run a local instance of CyberChef using Docker for added security.

Exporting Existing Symantec VIP Access

Unfortunately, “VIP Access” does not support export, migration, or backup.

So if you have already bound a “VIP Access,” the only method is:

  • Unbind the currently bound “VIP Access” from your account.
  • Delete the code and uninstall “VIP Access.”
  • Use python-vipaccess to generate a new secret token and back it up properly.
  • Bind it to your account.

🔗 Reference Links