Generate Symantec VIP Access Token as TOTP

symantec-vip-access-totp.md

Generate Symantec VIP Access Token as OTP

Recently I came across a web service that required two-factor authentication using the Symantec VIP Access App. I already manage all of my OTP tokens in a different app (If you are on iOS I highly recommend using OTP Auth by Roland Moers.) and did not want to have to use yet another app to generate the TOTP.

There is a way to generate a Symantec VIP Access compatible token very easily if you have access to an environment which can run Python PIP. I happen to have Ubuntu Windows Subsystem Linux running on my machine. (If you are running Windows 10 and don't have this you should really check it out.) Let's get started...

hello

Instructions

Here we install python3-pip and qrencode so we can generate our secret, ID, and QR code.

$ sudo apt install python3-pip qrencode

Next we install the python-vipaccess tool from dlenksi's github repo.

 $ pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip

Now we are going to generate our VIP Access token

 $ vipaccess provision -p -t SYMC

If everything worked correctly you should see the following output.

....
Generating request...
Fetching provisioning response...
Getting token from response...
Decrypting token...
Checking token...
Credential created successfully:
        otpauth://totp/VIP%20Access:SYMC54313423?period=30&digits=6&issuer=Symantec&secret=5YKAUZA4I4RAIJIZBU4KME34XLODWEUX&algorithm=SHA1
This credential expires on this date: 2022-03-14T14:57:31.615Z

You will need the ID to register this credential: SYMC54313423

You can use oathtool to generate the same OTP codes
as would be produced by the official VIP Access apps:

    oathtool -d6 -b --totp    5YKAUZA4I4RAIJIZBU4KME34XLODWEUX  # 6-digit code
    oathtool -d6 -b --totp -v 5YKAUZA4I4RAIJIZBU4KME34XLODWEUX  # ... with extra information

You can enter the TOTP secret just after --totp into your password manager or OTP app or in our case we're going to create a QR code to scan into your OTP app. You should copy and paste the otp auth credential just after Credential created successfully in the previous step now.

$ qrencode -t ANSI256 'otpauth://totp/VIP%20Access:SYMC54313423?period=30&digits=6&issuer=Symantec&secret=5YKAUZA4I4RAIJIZBU4KME34XLODWEUX&algorithm=SHA1'

You should see a QR code on your screen which you can then scan with your OTP app to generate your TOTP codes without ever having to use the Symantec VIP Access app! If you get an error, check to make sure you added single quotes around the otpauth:// string.

Much love for @cryozap for reverse engineering the Symantec VIP Access Provisioning Protocol and to @dlenksi for maintaining the fork.

For more information on the python-vipaccess tool check out the README.

There is online version too, to generate QR code from symantec VIP id.

There is online version too, to generate QR code from symantec VIP id.

While this is a nice quick proof of work, it should not be used for anything secure as all of the information is being generated on an server not under the control of the user or the service where the secret will be used to auth.

@jjroysdon 100% correct, agreed. it should be used just as a test, the sensitive one should be generated only by client-side.

This is brilliant. Thanks for the tip!

You can also install the latest stable release of python-vipaccess from PyPI instead of the development version on GitHub:

$ pip3 install python-vipaccess

Once installed this command will do it all. Replace [NAME] with the account you plan to use this new TOTP with. Will show output from vipaccess, plus the text used to create the QR code will be the last line.

$  vipaccess provision -p -t SYMC | tee /dev/tty | grep otpauth | xargs | sed -E 's/VIP%20Access:/[NAME]: /' | tee /dev/tty | qrencode -t ANSI256

This worked perfectly for me. Thank you very much for such a detailed solution!

Once installed this command will do it all. Replace [NAME] with the account you plan to use this new TOTP with. Will show output from vipaccess, plus the text used to create the QR code will be the last line.

$  vipaccess provision -p -t SYMC | tee /dev/tty | grep otpauth | xargs | sed -E 's/VIP%20Access:/[NAME]: /' | tee /dev/tty | qrencode -t ANSI256

This was perfect! Thanks!