TOTP with Symantec VIP Access?
Comments
-
Hi @BishBrian,
Symantec are using a form of one-time password which at the heart may be compatible with TOTP as defined in RFC 6238 but it's wrapped up in a different way. The way TOTP works when you use sites like Google or Dropbox is they generate the secret and communicate it with you. You record the secret in a compatible app and then it works as you already are familiar with. The way Symantec's solution seems to work is they generate a secret for you on their server and this is tied to your Credential ID. You then register on the site you wish to use Symantec's service with and I'm guessing that results in communication between Symantec and the service. So it looks like they're offshoring the 2FA to Symantec and relying on them to validate on their behalf.
If I'm correct we won't be compatible with Symantec. Even if they are following RFC 6238 we would need the secret to be visible. It will be stored in the app and on Symantec's server but it doesn't seem to be readily accessible to the user. Sorry about that.
0 -
Makes sense. What's weird is that 1Password and their VIP app don't even stay in time sync. The VIP app appears to restart at 30 seconds every time I return to the app. I'm not sure how that could work.
Anyway, thanks for the response!
0 -
Hi @BishBrian,
I didn't notice that oddity before, probably because I didn't spend a lot of time in their app. I have no idea how that aspect works and it does it even if it can't access the internet too. That's just another reason why the two systems probably won't be compatible as TOTP works in 30 second blocks, something I suspect you already know given your own surprise at how their app works.
0
