Using 1Password as a 2FA authenticator

edited January 13 in Memberships

I have used 1Password for years and have only just discovered the incredibly handy ability to generate and auto-populate one time passwords. I have successfully set this up with logins requiring a one time password generated in Google Authenticator. Does this also work with Microsoft Authenticator, Symantec VIP Access and Defender Soft Token applications? If so, how can I generate a QR code to import into a 1Password login?

1Password Version: 7.6.785
Extension Version: 7.6.785
OS Version: Windows 10 Pro 64 bit
Sync Type: Dropbox


  • ag_tommyag_tommy

    Team Member


    I am not familiar with some of the types you mentioned. I would encourage you to reach out to each of the respective types for specific instructions on enabling or setting up two-factor authentication. One thing I know about Microsoft Authenticator is it can support time-based access codes, much like 1Password. That being said, you may be able to move it into 1Password. I would seek their support for specific instructions, as I would not want to give you incorrect information and get you locked out of an account.

  • Microsoft Authenticator holds different types of accounts: some generate a prompt for you to validate and you may want to leave these in Microsoft Authenticator for convenience; others just generate an industry standard six-digit TOTP code and can be moved to other authenticator apps, including 1Password. The safest option is to re-visit the website concerned, turn-off 2FA and then turn it on again using 1Password to generate the code. This way you can be sure it works and avoid locking yourself out.
    Symantec VIP Access provisions 2FA tokens in a non-standard way. I've seen online scripts for converting them to a standard TOTP based secret, but you need to trust the website owner not to harvest your credentials. Even Norton and PayPal have moved away from VIP Access and now support standard authenticator apps, so you may not need it any longer.

  • ag_anaag_ana

    Team Member

    Thank you for sharing your experience with us @missingbits :+1: Switching the 2FA method to TOTP is indeed the right option if you want to keep using 1Password as your authenticator.

    edited January 19

    Even Norton and PayPal have moved away from VIP Access and now support standard authenticator apps, so you may not need it any longer.

    Thank you for mentioning this @missingbits!

    I was using VIP Access (converted to TOTP on my own machine, not online), but now I can use regular TOTP :)

  • edited January 19

    @XIII glad I could help!

  • ag_tommyag_tommy

    Team Member

    I love it when the community comes together and can share experiences, tips, and tricks. Thank you, everyone, for joining in.

  • Hey @XIII and @missingbits,
    I assume you're using the python VIP script.
    Regarding the expiry date, do you know if the credentials truly become invalid on the Symantec server after that date?

    The Symantec process although inconvenient, I would think, may have a security margin over "standard" TOTP in that the TOTP secret is stored on their server, separate from the service where your (hopefully, properly hashed) password is stored.


  • @1pwuser31547 I didn't know enough about how the Symantec VIP tokens work to understand the risks of converting them using the Python script. So I used the VIP app until PayPal and Norton did away with them and started supporting standard TOTP apps.

    I guess the way it works is that the service provider records your Symantec VIP token credential ID and presents this to Symantec's server with the 6 digit code you provide at login. Symantec's server then responds with an indication of whether the code was correct for that credential ID. So the secret is stored by Symantec rather than the service provider.

    It seems the Python script registers a VIP token on Symantec's servers with a secret that would generate the same 6 digit code in a standard TOTP app. This implies that Symantec is managing the VIP token as if it were one of they had provisioned. So my guess is that the expiry date will be enforced and the person who did the reverse engineering thought it would be.

  • @missingbits,

    The updated script is here if you're interested. It's been forked by another author.

    The script appears to connect with the Symantec server and receive VIP credential from it. You can test the VIP credential on the Symantec site and see that the credential is valid (in sync).

    It appears that this is the same process that occurs when you download the Symantec app on your device but I did not know that there is/might be an expiry date.
    For example, a very old VIP credential (official app) on one of my previous devices that I no longer use is still in sync with the Symantec server.


  • I have used a Python script in the past, but I’m using PayPal’s own TOTP now.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file