Generate Symantec VIP Access Token as TOTP

symantec-vip-access-totp.md

Generate Symantec VIP Access Token as OTP

Recently I came across a web service that required two-factor authentication using the Symantec VIP Access App. I already manage all of my OTP tokens in a different app (If you are on iOS I highly recommend using OTP Auth by Roland Moers.) and did not want to have to use yet another app to generate the TOTP.

There is a way to generate a Symantec VIP Access compatible token very easily if you have access to an environment which can run Python PIP. I happen to have Ubuntu Windows Subsystem Linux running on my machine. (If you are running Windows 10 and don't have this you should really check it out.) Let's get started...

hello

Instructions

Here we install python3-pip and qrencode so we can generate our secret, ID, and QR code.

$ sudo apt install python3-pip qrencode

Next we install the python-vipaccess tool from dlenksi's github repo.

 $ pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip

Now we are going to generate our VIP Access token

 $ vipaccess provision -p -t SYMC

If everything worked correctly you should see the following output.

....
Generating request...
Fetching provisioning response...
Getting token from response...
Decrypting token...
Checking token...
Credential created successfully:
        otpauth://totp/VIP%20Access:SYMC54313423?period=30&digits=6&issuer=Symantec&secret=5YKAUZA4I4RAIJIZBU4KME34XLODWEUX&algorithm=SHA1
This credential expires on this date: 2022-03-14T14:57:31.615Z

You will need the ID to register this credential: SYMC54313423

You can use oathtool to generate the same OTP codes
as would be produced by the official VIP Access apps:

    oathtool -d6 -b --totp    5YKAUZA4I4RAIJIZBU4KME34XLODWEUX  # 6-digit code
    oathtool -d6 -b --totp -v 5YKAUZA4I4RAIJIZBU4KME34XLODWEUX  # ... with extra information

You can enter the TOTP secret just after --totp into your password manager or OTP app or in our case we're going to create a QR code to scan into your OTP app. You should copy and paste the otp auth credential just after Credential created successfully in the previous step now.

$ qrencode -t ANSI256 'otpauth://totp/VIP%20Access:SYMC54313423?period=30&digits=6&issuer=Symantec&secret=5YKAUZA4I4RAIJIZBU4KME34XLODWEUX&algorithm=SHA1'

You should see a QR code on your screen which you can then scan with your OTP app to generate your TOTP codes without ever having to use the Symantec VIP Access app! If you get an error, check to make sure you added single quotes around the otpauth:// string.

Much love for @cryozap for reverse engineering the Symantec VIP Access Provisioning Protocol and to @dlenksi for maintaining the fork.

For more information on the python-vipaccess tool check out the README.

There is online version too, to generate QR code from symantec VIP id.

While this is a nice quick proof of work, it should not be used for anything secure as all of the information is being generated on an server not under the control of the user or the service where the secret will be used to auth.

@jjroysdon 100% correct, agreed. it should be used just as a test, the sensitive one should be generated only by client-side.

This is brilliant. Thanks for the tip!

You can also install the latest stable release of python-vipaccess from PyPI instead of the development version on GitHub:

$ pip3 install python-vipaccess

Once installed this command will do it all. Replace [NAME] with the account you plan to use this new TOTP with. Will show output from vipaccess, plus the text used to create the QR code will be the last line.

$  vipaccess provision -p -t SYMC | tee /dev/tty | grep otpauth | xargs | sed -E 's/VIP%20Access:/[NAME]: /' | tee /dev/tty | qrencode -t ANSI256

This worked perfectly for me. Thank you very much for such a detailed solution!

Once installed this command will do it all. Replace [NAME] with the account you plan to use this new TOTP with. Will show output from vipaccess, plus the text used to create the QR code will be the last line.

$  vipaccess provision -p -t SYMC | tee /dev/tty | grep otpauth | xargs | sed -E 's/VIP%20Access:/[NAME]: /' | tee /dev/tty | qrencode -t ANSI256

This was perfect! Thanks!

I have a Mac with Monterey 12.7.5 installed. I know nothing about Python and need to generate a QR code or export to another authentication app (Aegis). Will this work on a MacOS? I can't believe Symantec makes it so difficult to export. I did so easily off of the Google Auth app, when I realized how unsafe that app was.

@janihenn these instructions are a little technical and not super friendly to people who aren't familiar or comfortable with the terminal. I'll do my best to give you a rundown of how you would do this if you've never used the terminal before, but your mileage may vary depending on what you've already installed on your machine and how good you are at following instructions.

1. Open up the terminal (yup, here we go).
2. Install brew using the instructions at brew.sh (copy the command they provide and paste it into your terminal and hit enter).
3. With brew installed, run brew install qrencode (and yes, we had install something to use it to install something else, this is the world of the terminal).
4. macOS should already have Python so you shouldn't need to run brew install python, but if the next steps give you issues, going back and installing python with brew might help.
5. Run pip install python-vipaccess
6. Now you should be able to run the long command line from above vipaccess provision -p -t SYMC | tee /dev/tty | grep otpauth | xargs | sed -E 's/VIP%20Access:/[NAME]: /' | tee /dev/tty | qrencode -t ANSI256 (not that I didn't include the $, that's not part of the command, it's just an indicator that it's meant to be run in a terminal).
7. If you get a message like vipaccess: command not found take a look at the output for pip install python-vipaccess for any warning messages about PATH, and read that message carefully. If you no longer have the output for that command handy you should be able to regenerate it with pip uninstall python-vipaccess followed by installing it again.

If you're not comfortable with the terminal this might take some patience as well as some Googling/asking chatGPT, but you can do it, I believe in you!

And let me take this opportunity to give a huge thank you to the people who came up with these instructions! These are awesome and it's so nice to be able to bypass the VIP Access app for something a little more polished.