Summary
You can generate Symantec VIP Access credentials and load them onto any Yubikey that supports TOTP or HOTP (i.e. any Yubikey that isn't blue).
If you don't already have a Yubikey, you might also consider a Symantec VIP Hardware Authenticator which is less than half the price of the Yubikey I used - but I already have the Yubikey and the Hardware Authenticator doesn't ship to the UK
TOTP vs HOTP
The codes generated by the Symantec VIP Access phone app (and the likes of Google Authenticator) are TOTP codes - the code depends on the time. The other option is HOTP which uses a counter instead - this is what the Symantec VIP Hardware Authenticator does, and simplifies things on devices like the Yubikey that don't have built-in clocks.
Here are the main differences:
TOTP | HOTP |
---|---|
|
|
If you choose TOTP
Install python-vipaccess with
pip3 install python-vipaccess
and yubioath withsudo apt-get install yubioath-desktop
Execute python-vipaccess from wherever pip installed it (in my case
~/.local/bin/vipaccess
) like so:
$ ~/.local/bin/vipaccess provision -p Generating request... Fetching provisioning response... Getting token from response... Decrypting token... Checking token... Credential created successfully: otpauth://totp/VIP%20Access:VSST89795985?secret=KVIMXW236KKUVMSVNYKZOBFPTWMKMPKZ&digits=6&algorithm=SHA1&issuer=Symantec&period=30 This credential expires on this date: 2023-03-29T16:24:42.226Z You will need the ID to register this credential: VSST89795985 You can use oathtool to generate the same OTP codes as would be produced by the official VIP Access apps: oathtool -b --totp KVIMXW236KKUVMSVNYKZOBFPTWMKMPKZ # output one code oathtool -v -b --totp KVIMXW236KKUVMSVNYKZOBFPTWMKMPKZ # ... with extra information
This gives you the TOTP secret and token ID. If you want to back up the credential or also load it into a tool like Google Authenticator, now is the time; to generate a QR code, see the python-vipaccess README
- Then simply load the secret onto your Yubikey and test as follows:
$ read -p "Enter the secret: " totpsecret Enter the secret: KVIMXW236KKUVMSVNYKZOBFPTWMKMPKZ $ yubioath put --name VSST89795985 --oath-type totp --touch "$totpsecret" $ yubioath VSST89795985 [Touch credential] $ yubioath show VSST89795985 Touch your YubiKey... VSST89795985 857363 $ unset totpsecret
We use read
above to avoid saving the secret into our bash history. You can also use yubioath-gui
if you prefer a GUI.
- Test your token at Symantec's website to confirm you've set it up right.
Calling yubioath from python
If you've got a python script to log into something, and you want to call yubioath from it, you can do it like so:
The while
loop ensures, if the code ran yubioath stage before you put your key in, you can put it in and try again.
If you choose HOTP
Install python-vipaccess with
pip3 install python-vipaccess
and Yubikey Manager withsudo apt-add-repository ppa:yubico/stable && sudo apt update && sudo apt install yubikey-manager-qt
Execute python-vipaccess from wherever pip installed it (in my case
~/.local/bin/vipaccess
) like so:
$ ~/.local/bin/vipaccess provision -p -t FT12 Generating request... Fetching provisioning response... Getting token from response... Decrypting token... Checking token... Credential created successfully: otpauth://hotp/VIP%20Access:FT1263782685?secret=KXVJPCQHMKLRP5FOPBW43OTV2424CXVY&digits=6&algorithm=SHA1&issuer=Symantec&counter=2 This credential expires on this date: 2023-03-29T18:00:44.119Z You will need the ID to register this credential: FT1263782685
The prefix comes from Symantec's list of prefixes listed as 'event based' - Prefixes like UBHE also work.
Remember to note down the ID - FT1263782685 in the example above - as you'll need it to make use of your new credential.
The Yubikey's keyboard-emulation has two 'slots' - Slot 1 is triggered by a short press, and comes factory-configured for Yubico OTP. Slot 2 is triggered by a long press, and from the factory is empty; below, we confirm slot 2 is empty and load our credential into that slot. If a slot isn't empty, don't overwrite it unless you're happy to lose whatever credential is in that slot
$ ykman otp info
Slot 1: programmed
Slot 2: empty
$ read -p "Enter the secret: " hotpsecret
Enter the secret: KXVJPCQHMKLRP5FOPBW43OTV2424CXVY
$ ykman otp --counter 2 hotp 2 "$hotpsecret"
Program a HOTP credential in slot 2? [y/N]: y
$ unset hotpsecret
You can use ykman-gui
to do the same thing with a GUI, if you prefer.
Now when you long-press (short press if you used slot 1) your Yubikey will emulate a keyboard entering a 6-digit code.
Test your token at Symantec's website to confirm you've set it up right.