I love two factor authentication (2FA) and it’s essential to operating accounts in the digital world. But have you ever been forced to use it? Last year, I had to help my dad use the Symantec VIP Access app for his Fidelity account and apparently it’s deployed in many other businesses as well.

First, a bit of background. Fidelity is a popular investment broker here in the US and in particular, my dad got so annoyed by the text messages every time he had to login to his retirement account. By default, Fidelity does everything through your phone number so I was tasked to find a way around it.

For years, Fidelity only supported one other form of 2FA, that was Symantec VIP Access, a lame proprietary app that was basically a gated wrapper for standard 2FA, like in Google Authenticator. In August 2024, Fidelity made an announcement on their Reddit page (Onion link) that they now welcome any kind of 2FA app.

The thing that was irks me about apps like Symantec VIP Access is it’s a proprietary solution and not an open one. Deep down in the app, it is running the normal Google Authenticator stuff good websites run. They also make it so you can’t export your codes and include unnecessary data collection in the app, which is just unacceptable for an app to guard your accounts.

Like most financial institutions, Fidelity has terrible practices and I had to go through the trouble of setting all of this up, but I’m making this video to celebrate Fidelity amends and prepare all of you the next time you are forced to use Symantec VIP Access.

python-vipaccess

Some people on GitHub, cyrozap and Dan Lenski, have reverse-engineered the desktop and mobile apps and Symantec’s protocol, so you don’t need to use Symantec’s app and continue using an open-source authenticator app like Aegis or Ente for desktop/iPhone users.

Read cyrozap’s blog post about reverse engineering server calls for Symantec VIP Access

python-vipaccess GitHub

Installation

You will need Python and pipx installed in order to use the script. You can use scoop for Windows, pipx from Homebrew, or your Linux package manager. I use a Distrobox/Docker container to run it to keep my system clean.

Next, we need to install python-vipaccess from pip using pipx.

pipx install python-vipaccess

Now you can launch python-vipaccess from your terminal.

Symantec’s Provisioning:

python-vipaccess will generate your Symantec token by negotiating with their server the same way their app does. Symantec uses a proprietary, server-side protocol to issue you a token to obtain Google’s open-source TOTP standard to generate a code. This is yet another reason Symantec sucks, because Google Authenticator or other open source authenticators only require one device–yours.

vipaccess provision -p -i Fidelity -t VSMT
  • -p prints the output without saving it to a file.
  • -i is the 2FA issuer. Default is VIP Access, but this could changed to Fidelity for example.
  • -t is the token format requested from Symantec’s servers. The token in this case is VSMT.

There are alternative tokens marked for either for mobile or desktop, but all equally functional. Keep this in mind if when you interact with IT or customer support.

Running the command should get an output that looks like this:

Generating request...
Fetching provisioning response from Symantec server...
Getting token from response...
Decrypting token...
Checking token against Symantec server...
Credential created successfully:
    otpauth://totp/Fidelity:VSMT95687533?secret=HHW3IFLSHQJBTZQRTULZQN5Q7DV4ZOQR&digits=6&algorithm=SHA1&image=https%3A%2F%2Fraw.githubusercontent.com%2Fdlenski%2Fpython-vipaccess%2Fmaster%2Fvipaccess.png&period=30
This credential expires on this date: 2027-02-19T16:44:55.044Z

You will need the ID to register this credential: VSMT95687533

You can use oathtool to generate the same OTP codes
as would be produced by the official VIP Access apps:

    oathtool    -b --totp HHW3IFLSHQJBTZQRTULZQN5Q7DV4ZOQR  # output one code
    oathtool -v -b --totp HHW3IFLSHQJBTZQRTULZQN5Q7DV4ZOQR  # ... with extra information

Let’s translate this output:

  • Under Credential created successfully, this is the information we need to set up the service.
  • IT/customer support will ask you for an account ID. With the example output above, this is VSMT95687533, but you will need to supply your own.
  • If support asks you for a different token (e.g. “it’s the code that starts with ‘SY’”), regenerate your code with the matching token. You can also politely tell them your app is showing you something different and read your code aloud.
  • Afterwards, manually enter the text after ?secret= into your authenticator app. In this example, the Google Authenticator seed is HHW3IFLSHQJBTZQRTULZQN5Q7DV4ZOQR
  • Make a reminder in your calendar app of choice, password manager, or physical planner to setup Symantec prior to the expiration date.

Track Listing