3

I'm most accustomed to using Google Authenticator / FreeOTP for my 2FA needs. This system allows me to have separate TOTP streams for each site and allows me to backup my seeds (by printing the QR codes used to set them up).

However, I've encountered a few systems that support only Symantec's "VIP Access" program. This software seems to generate a single secret, then I register the "credential ID" with other systems to allow them to recognize my TOTP stream. I'm not sure how the crypto works, but if I use Symantec VIP Access for both SiteA and SiteB, doesn't this effectively give SiteA TOTP tokens that it can use to impersonate me on SiteB? Also, Symantec doesn't support any way to backup its secret -- their documented work-around for a lost, broken, or replaced smartphone is to contact technical support at for each system with which I've registered my "credential ID".

Is this analysis of Symantec VIP Access correct? If so, do I have any better alternatives than (futilely) asking administrators of systems that use Symantec VIP Access to switch to something that doesn't suck?

user3553031
  • 143
  • 1
  • 7

2 Answers2

3

if I use Symantec VIP Access for both SiteA and SiteB, doesn't this effectively give SiteA TOTP tokens that it can use to impersonate me on SiteB?

Yes. 2FA does not necessarily fully negate the risks of password reuse. I doubt Symantec would allow the same code to be used twice (the system requires the service to send the code to Symantec for validation) - but a malicious service could easy enough not validate you with Symantec themselves.

It is worth noting sites can optionally integrate push based notification (where the app asks Symantec to ask your phone to generate a token for it) or QR based authentication (where a QR code is presented which your phone uses when generating the token). Both of these would remove that risk.

Symantec doesn't support any way to backup its secret -- their documented work-around for a lost, broken, or replaced smartphone is to contact technical support at for each system with which I've registered my "credential ID".

This appears to be by design. I'd agree its a poor decision. However from a security / marketing perspective its arguably better - if someone steals your phone you'll probably notice, if someone cloned your token you might not.

do I have any better alternatives than (futilely) asking administrators of systems that use Symantec VIP Access to switch to something that doesn't suck?

The only other option is to complain to Symantec. Although i'd argue complaining to their customers is likely to have a bigger impact.

Hector
  • 10,893
  • 3
  • 41
  • 44
0

To answer one detail of your question, there exist some tools to create QR code for Symantec VIP ID, and thus, you can have Symantec VIP access with QR-Code apps, like Authy /or/ Google Authenticator.

T.Todua
  • 2,677
  • 4
  • 19
  • 28