I'm most accustomed to using Google Authenticator / FreeOTP for my 2FA needs. This system allows me to have separate TOTP streams for each site and allows me to backup my seeds (by printing the QR codes used to set them up).
However, I've encountered a few systems that support only Symantec's "VIP Access" program. This software seems to generate a single secret, then I register the "credential ID" with other systems to allow them to recognize my TOTP stream. I'm not sure how the crypto works, but if I use Symantec VIP Access for both SiteA and SiteB, doesn't this effectively give SiteA TOTP tokens that it can use to impersonate me on SiteB? Also, Symantec doesn't support any way to backup its secret -- their documented work-around for a lost, broken, or replaced smartphone is to contact technical support at for each system with which I've registered my "credential ID".
Is this analysis of Symantec VIP Access correct? If so, do I have any better alternatives than (futilely) asking administrators of systems that use Symantec VIP Access to switch to something that doesn't suck?