I love two factor authentication (2FA) and it’s essential to operating accounts in the digital world. But have you ever been forced to use it? Last year, I had to help my dad use the Symantec VIP Access app for his Fidelity account and apparently it’s deployed in many other businesses as well.
First, a bit of background. Fidelity is a popular investment broker here in the US and in particular, my dad got so annoyed by the text messages every time he had to login to his retirement account. By default, Fidelity does everything through your phone number so I was tasked to find a way around it.
For years, Fidelity only supported one other form of 2FA, that was Symantec VIP Access, a lame proprietary app that was basically a gated wrapper for standard 2FA, like in Google Authenticator. In August 2024, Fidelity made an announcement on their Reddit page (Onion link) that they now welcome any kind of 2FA app.
The thing that was irks me about apps like Symantec VIP Access is it’s a proprietary solution and not an open one. Deep down in the app, it is running the normal Google Authenticator stuff good websites run. They also make it so you can’t export your codes and include unnecessary data collection in the app, which is just unacceptable for an app to guard your accounts.
- Official Symantec VIP Access page
- Symantec VIP Access on εxodus
- Symantec’s App Privacy Label on Apple’s App Store
Like most financial institutions, Fidelity has terrible practices and I had to go through the trouble of setting all of this up, but I’m making this video to celebrate Fidelity amends and prepare all of you the next time you are forced to use Symantec VIP Access.
python-vipaccess
Some people on GitHub, cyrozap and Dan Lenski, have reverse-engineered the desktop and mobile apps and Symantec’s protocol, so you don’t need to use Symantec’s app and continue using an open-source authenticator app like Aegis or Ente for desktop/iPhone users.
Read cyrozap’s blog post about reverse engineering server calls for Symantec VIP Access
Installation
You will need Python and pipx installed in order to use the script. You can use scoop for Windows, pipx from Homebrew, or your Linux package manager. I use a Distrobox/Docker container to run it to keep my system clean.
Next, we need to install python-vipaccess from pip using pipx.
pipx install python-vipaccess
Now you can launch python-vipaccess from your terminal.
Symantec’s Provisioning:
python-vipaccess will generate your Symantec token by negotiating with
their server the same way their app does. Symantec uses a proprietary,
server-side protocol to issue you a token to obtain Google’s open-source
TOTP standard to generate a code. This is yet another reason Symantec
sucks, because Google Authenticator or other open source authenticators
only require one device–yours.
vipaccess provision -p -i Fidelity -t VSMT
-pprints the output without saving it to a file.-iis the 2FA issuer. Default isVIP Access, but this could changed toFidelityfor example.-tis the token format requested from Symantec’s servers. The token in this case isVSMT.
There are alternative tokens marked for either for mobile or desktop, but all equally functional. Keep this in mind if when you interact with IT or customer support.
- SYMC/VSMT (Mobile)
- SYDC/VSST (Desktop)
- More classification codes from Broadcom (parent company of Symantec)
Running the command should get an output that looks like this:
Generating request...
Fetching provisioning response from Symantec server...
Getting token from response...
Decrypting token...
Checking token against Symantec server...
Credential created successfully:
otpauth://totp/Fidelity:VSMT95687533?secret=HHW3IFLSHQJBTZQRTULZQN5Q7DV4ZOQR&digits=6&algorithm=SHA1&image=https%3A%2F%2Fraw.githubusercontent.com%2Fdlenski%2Fpython-vipaccess%2Fmaster%2Fvipaccess.png&period=30
This credential expires on this date: 2027-02-19T16:44:55.044Z
You will need the ID to register this credential: VSMT95687533
You can use oathtool to generate the same OTP codes
as would be produced by the official VIP Access apps:
oathtool -b --totp HHW3IFLSHQJBTZQRTULZQN5Q7DV4ZOQR # output one code
oathtool -v -b --totp HHW3IFLSHQJBTZQRTULZQN5Q7DV4ZOQR # ... with extra information
Let’s translate this output:
- Under
Credential created successfully, this is the information we need to set up the service. - IT/customer support will ask you for an account ID. With the example
output above, this is
VSMT95687533, but you will need to supply your own. - If support asks you for a different token (e.g. “it’s the code that starts with ‘SY’”), regenerate your code with the matching token. You can also politely tell them your app is showing you something different and read your code aloud.
- Afterwards, manually enter the text after
?secret=into your authenticator app. In this example, the Google Authenticator seed isHHW3IFLSHQJBTZQRTULZQN5Q7DV4ZOQR - Make a reminder in your calendar app of choice, password manager, or physical planner to setup Symantec prior to the expiration date.
Track Listing
- Minobe Yutaka (蓑部雄崇) - Satellite (サテライト) from Yu-Gi-Oh! 5Ds (遊☆戯☆王5D’s(ファイブディーズ))
- Neötrön (ネオトロン) - City Girl Walks Down a Country Road (シティーガールは田舎道を歩く)
- Nyalpaca BGM - City Girl (シティガール)
- Outro: Khaim - Neon Lamp