python-vipaccess: Not working on PayPal?

I used python vipaccess\cli.py provision -p -t VSMT to generate a credential VSMT917***** and added it to Authy on my phone. That worked fine. However, when I try to add it to my PayPal account, I get this error message after entering the serial number and two codes:

Any ideas?

About this issue

Original URL
State: closed
Created 7 years ago
Comments: 20 (9 by maintainers)

Commits related to this issue

include warning about time skew if token fails to validate (maybe this'll help with #5 mystery) — committed to dlenski/python-vipaccess by dlenski 6 years ago
include warning about time skew if token fails to validate (maybe this'll help with #5 mystery) — committed to dlenski/python-vipaccess by dlenski 6 years ago
include warning about time skew if token fails to validate (maybe this'll help with #5 mystery) — committed to guicaro/python-vipaccess by dlenski 6 years ago

Most upvoted comments

Thank you very much, @aitte2. As you wrote, PayPal has made it quite difficult to find the option to add a new Symantec VIP Access token.

dlenski on Mar 15, 2018

@dlenski I set up my VIPAccess key yesterday and I can see the problem. You have the wrong URL.

I like writing instructions for myself and friends. Here is what I wrote down:

About PayPal’s 2-Factor Authentication:

They don’t have direct support for things like Google Authenticator. But they have indirect support for it!

“Symantec VIP (VeriSign Identity Protection) Access” (now owned by Symantec but previously by VeriSign) uses the completely open TOTP standard for generating its 6-digit codes. The only proprietary part is the provisioning used for registering a new authenticator (which needs to contact the symantec server to register the “token device id”). That part of the protocol has luckily been reverse-engineered, which means that there’s no need to use their clunky, official Symantec apps.

First install the reverse engineered library, https://github.com/dlenski/python-vipaccess (it’s a fork which is maintained unlike the original). Read its installation instructions for a “manual build/install”. It’s really just these commands:

git clone https://github.com/dlenski/python-vipaccess.git cd python-vipaccess sudo pip3 install .

Now create your “Security Key” by running the following command which will register a token on the Symantec VIP Access server and output the final “otpauth” URL etc:

vipaccess provision -p -t VSMT

Save the otpauth URL, the expiry date, and the ID (which is the ID of the fake Symantec “device token” it generated). Put the otpauth URL in your OTP generator (I love 1Password!) so that you can start making tokens.
Go to https://www.paypal.com/webscr?cmd=_setup-security-key and click on the “Activate Security Key” choice.
Enter the generated token ID as the “Serial Number” and enter two consecutive 30-second codes.
From now on, every login at PayPal will require a single 2-factor code.
If you ever need to recover your account later, you can use the secret questions or receive a phone call at your registered number.

aitte2 on Mar 14, 2018

It might be worth trying again with VSST instead of VSMT…?

I tried both 😢

Are you 100% sure that your system clock is perfectly synced?

Yeah… I tested on both my phone (via the Authy app) and my computer (via the Authy Chrome extension), and other sites that use two-factor auth are fine. I don’t know of any other sites that use VeriSign VIP Access though, so I’m not sure how to test it specifically.

Daniel15 on Apr 25, 2017