Posts Secure E-Trade account with Symantec VIP on Yubikey
Post
Cancel

Secure E-Trade account with Symantec VIP on Yubikey

Feb 6, 2021 2021-02-06T13:00:00-05:00 by Paul Sambolin
2 min

E-Trade and others use Symantec VIP for their most secure (hardware) multi-factor authentication methods. I’ll show how to use a Yubikey to generate 6 digit codes identical to Symantec VIP hardware. Yubikey OTP is not supported by E-Trade. Here we use the Yubikey’s second key slot (long press) to store the Symantec VIP secret used to generate the 6 digit codes. Yubikey OTP key in the first key slot (short press) is not modified

Motivation

I already own a Yubikey 5c and didn’t want to purchase a Symantec hardware key (additional costs, delays, and only available in USB A)

Install Software

  1. Don’t over think the installs, reading instructions usually isn’t necessary, just install the correct software for your operating systems
  2. Download the code to your computer
1
2
3
4
5

# if you have git installed, run git clone in the terminal
git clone https://github.com/dlenski/python-vipaccess.git

# else open this link in internet browser to download zip.  Unzip files
https://github.com/dlenski/python-vipaccess/archive/master.zip

Provision Symantec VIP secret

Using docker makes this easy. Open a terminal window, navigate to the python-vipaccess directory. Run the following commands to provision a secret

1
2
3
4
5

# Build the python-vipaccess Docker image
docker build . -t python-vipaccess

# Run the python-vipaccess Docker image to provision a type FT12 (hardware) type secret
docker run python-vipaccess provision -p -t FT12

The VIP Credential Id and VIP Secret are in the otpauth line of the output. The id is FT0123456789 and the secret is EVX5G4UZ2DPC7SCUIQSA7VQBX4BFQMCG

‘otpauth://hotp/VIP%20Access:FT0123456789?secret=EVX5G4UZ2DPC7SCUIQSA7VQBX4BFQMCG&digits=6&algorithm=SHA1&image=https%3A%2F%2Fraw.githubusercontent.com%2Fdlenski%2Fpython-vipaccess%2Fmaster%2Fvipaccess.png&counter=1’

Add Symantec VIP secret to Yubikey

  1. Inset the Yubikey
  2. Open Yubikey Manager, the Yubikey should be automatically detected

  3. Navigate to Applications > OTP alt text

  4. Click Configure for Long Touch (Slot 2) alt text

  5. Select OATH-HOTP as the credential type and click Next alt text

  6. Copy the VIP secret from earlier (EVX5G4UZ2DPC7SCUIQSA7VQBX4BFQMCG) to the Secret key field. Keep the default of 6 for Digits. Click Finish to save the key to the Yubikey alt text

  7. Test the key at vip.symantec.com. Remember to Long Touch the Yubikey in order to use the second slot. (Note: the symantec website only worked on my mobile devices)

Register Yubikey with E-Trade

  1. Login to E-Trade, and navigate to Profile/Security Settings alt text

  2. Click Manage two-factor authentication alt text

  3. Click the text No mobile device? Add a hardware token. alt text

  4. Enter the Credential Id (example FT0123456789) in the Serial number field. Select the Personal access code field and Long Touch the Yubikey to generate a 6 digit code. (Optional) Enter a nickname for each unique Yubikey. Click Add authenticator alt text

  5. Congrats! Click Done on the confirmation alt text

Managing Devices in E-Trade

Follow steps 1 & 2 under the previous section Register Yubikey with E-Trade to view your registered MFA devices alt text

Logging into E-Trade

I highly suggest you test logging in with the new key immediately! Contact E-Trade support with any issues! alt text

Closing Advice

It is best practice to generate two Symantec VIP keys and load them onto seperate Yubikeys. Register both Yubikeys with E-Trade and store one in a safe location. Delete all traces of the secret from the computer. The Yubikey should possess the only copy of the secret for true hardware level security.

Blogging, Tutorial
technology security
This post is licensed under CC BY 4.0 by the author.
Recent Update
Trending Tags
technology security
Contents

-

Volvo VIDA on VirtualBox

Trending Tags

technology security