Replacing Symantec Vip Access With A Generic TOTP App
Background
When adding 2 FA to Schwab, you will find that the options are limited to the following:
- Notification to my mobile device
- We’ll send a notification to your mobile device or open your mobile app to verify.
- Text
- We’ll send a code to a number in your profile.
- Security token
Using the app itself for 2 FA is clearly not a good practice, and option two, SMS as 2 FA, is even worse.
Option three, the Security token, does not use the currently common TOTP scheme, but requires the use of the closed-source proprietary application “VIP Access” from Symantec .
Reasons for not using “VIP Access”:
- The iOS version of VIP Access is too ugly.
- VIP Access data does not support export or backup.
- I prefer TOTP all in one in a single application.
- It is inefficient to open different applications to find the TOTP code.
- VIP Access is closed-source proprietary software.
Therefore, we need to find a way to convert the TOTP from Symantec’s “VIP Access” to a generic TOTP, so that it can be used with software and hardware like Google Authenticator, Authy, Yubikey, etc.
Installing and Using python-vipaccess
The main project: https://github.com/dlenski/python-vipaccess.
This project was developed by @cyrozap by reverse-engineering “VIP Access,” and later improved and maintained by @dlenski.
Risk Warning:
The code of this project pretends to be an old version of the Symantec VIP client for macOS, a version that Symantec no longer uses.
Therefore, if Symantec’s servers refuse to communicate with this old version of the application, this method will fail.
Historically, Symantec briefly disabled communication with this version of the client in May 2020, and may do so again at any time in the future.
However, even if it is disabled in the future, it will only prevent the conversion of new tokens; previously converted tokens should remain unaffected.
Quick Start
# Installation
pip3 install python-vipaccess
# For newer versions of Python
pipx install python-vipaccess
# Generate a new token
vipaccess provision -p -t SYMC
You will see output similar to the following:
Generating request...
Fetching provisioning response...
Getting token from response...
Decrypting token...
Checking token...
Credential created successfully:
otpauth://totp/VIP%20Access:VSMT22195338?issuer=Symantec&algorithm=SHA1&secret=SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z&digits=6&period=30
This credential expires on this date: 2022-05-30T14:13:21.891Z
You will need the ID to register this credential: VSMT22195338
You can use oathtool to generate the same OTP codes
as would be produced by the official VIP Access apps:
oathtool -d6 -b --totp SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z # 6-digit code
oathtool -d6 -b --totp -v SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z # ... with extra information
VSMT 22195338
is the credential you need to submit to Schwab or other websites using Symantec VIP.SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z
is the secret token used to import into a generic TOTP application.- This output can be used to generate a QR code:
otpauth://totp/VIP%20Access:VSMT22195338?issuer=Symantec&algorithm=SHA1&secret=SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z&digits=6&period=30
.
Generating QR Code
I personally prefer to directly use the key to import into the TOTP application rather than using a QR code.
If you really want to generate a QR code, I recommend two methods:
Using qrencode to generate a QR code
Linux and macOS can easily install qrencode
to generate QR codes.
qrencode -t ANSI256 'otpauth://totp/VIP%20Access:SYMC54313423?period=30&digits=6&issuer=Symantec&secret=5YKAUZA4I4RAIJIZBU4KME34XLODWEUX&algorithm=SHA1'
Windows has not been tested, so it’s unclear if it can be used directly with qrencode, but it should not be difficult with WSL.
If you encounter difficulties, I recommend using the following method to generate a QR code.
Using CyberChef to generate a QR code
CyberChef is known as the “The Cyber Swiss Army Knife”, providing hundreds of different “operations” for tasks such as encoding/decoding, encryption/decryption, data analysis, and more.
Using it to generate a QR code is naturally straightforward:
It runs entirely in the browser as a client application, meaning all data processing is done locally in the user’s browser without sending data to a server.
Of course, if you feel uneasy using someone else’s instance, it is recommended to run a local instance of CyberChef using Docker for added security.
Exporting Existing Symantec VIP Access
Unfortunately, “VIP Access” does not support export, migration, or backup.
So if you have already bound a “VIP Access,” the only method is:
- Unbind the currently bound “VIP Access” from your account.
- Delete the code and uninstall “VIP Access.”
- Use python-vipaccess to generate a new secret token and back it up properly.
- Bind it to your account.