In order to enter the 2FA code, you must enter into the PASSWORD field, your password, followed by the authenticator code.Unlike most other websites which just use QR code with any authenticator of your choice to set up, you must use the Symantec "VIP Access" App.Here are my findings about this abysmal security experience: I spent 2 hours on the phone with eTrade support today getting the 2FA to work properly. Oathtool -d6 -b -totp -v SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z #. Oathtool -d6 -b -totp SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z # 6-digit code You can use oathtool to generate the same OTP codesĪs would be produced by the official VIP Access apps: You will need the ID to register this credential: VSMT22195338 This credential expires on this date: T14:13:21.891Z Otpauth://totp/VIP%20Access:VSMT22195338?issuer=Symantec&algorithm=SHA1&secret=SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z&digits=6&period=30 Now you should be able to run vipaccess with no issues: # vipaccess provision -t VSMT -p To resolve this, install the libxml2-dev and libxslt1-dev two libraries: apt-get install libxml2-dev libxslt1-dev When running the vipaccess command, I got the following error: ImportError: libxslt.so.1: cannot open shared object file: No such file or directory Successfully installed lxml-4.2.5 oath-1.4.3 pycryptodome-3.6.6 python-vipaccess-0.3.1 Running setup.py install for python-vipaccess. Installing collected packages: lxml, oath, pycryptodome, python-vipaccess Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from python-vipaccess=0.3.1) pip3 install Ĭollecting lxml=4.2.5 (from python-vipaccess=0.3.1)Ĭollecting oath>=1.4.1 (from python-vipaccess=0.3.1)Ĭollecting pycryptodome=3.6.6 (from python-vipaccess=0.3.1) Now we can download and install Dan’s python-vipaccess application. Sudo apt install python3-pip # Install pip (package manager) Sudo apt install python3 # Install Python 3 if not already installed Stepsįirst, we need Python 3: sudo -s # Being lazy, saves having to type sudo in front of everythingĪpt update # Ensure we’re going to get the latest version of packages Creating a QR code is a “nice to have” (I only have to type in those 32 letters once, so I did without that).Ĭrozap’s and Dan’s software does the clever bit of creating the TOTP credential from the Symantec VIP credential.Īs described above, I’m doing this on a Raspberry Pi 2B which was update to date as of 30th May 2019. TOTP credentials are usually 32 letters, often represented as a QR code. VIP credentials start with 4 letters and then 8 digits. When you initialise Symantec VIP, it generates a new random credential, but not one compatible with TOTP. To add a new credential to a TOTP app we therefore need a compatible credential. The 6 digit codes that get generated by authenticator apps are created based on 2 factors: the current time (obviously) and a credential. The instructions provided by Dan are pretty straightforward, but I hit a missing dependency that was required to make it work on my RPi 2B. Symantec VIP is actually just a layer over TOTP and thanks to a clever bit of work by Dan Lesnki (in turn forked from Cyrozap’s project) it’s possible to do away with the Symantec VIP application and use a “standard” TOTP app, such as Google Authenticator or Authy. So, what’s the problem? I resent having a “special” Symantec app on all my devices because, ultimately this is just a layer over the standard Time-based One Time Password (TOTP), as used by Google Microsoft, Facebook and countless others. (Why pseudo-two-factor? Because the code is generated from a secret, it’s really just a fancy password.) This is an example of pseudo-two-factor authentication: I have my password, something I know, as the first factor and something I have, the app that generates the code, as the second factor. When logging in to the system, I have to run the app to get the 6 digit code and then type it in, along with a username and password. For those that haven’t come across this before the app displays a 6 digit numeric code that changes every 30 seconds. Occasionally, I need to log in to a system that requires the use of a Symantec VIP code.
0 Comments
Leave a Reply. |