Using Symantec VIP Access at Fidelity

[AAA]

So I've been using this for several years and wanted to know if the version I have, 1.0.4, is current. The app itself doesn't have an update option. In its Help menu there is an FAQ option but my browser says it can't find the server. Digging into this, it appears that Broadcom acquired Symantec and is now NortonLifeLock. I went to Fidelity's website and it still talks about VIP Access. I clicked on the download button just to find out if it would tell me a current version number but the download page doesn't load.

I used VIP Access today with Fidelity so it's still working. I just wanted to stay up-to-date to avoid any possible future issues but there's no information readily available about this app.

Anyone know what the situation is?

[BuddyJet]

My app shows as Symantec VIP Access for Android version 4.2.0. No lifelock wording. Are you on Apple?

[investor4life]

I have version 4.3.3 of Symantec VIP on iOS.

Fidelity also has another way of doing MFA using text messaging. It is not as secure as an app-based approach and I am not sure why it is even offered.

[JayB]

On my Windows 10 machine, I have Version 2.2.4.44. When I clicked on "check for updates," it said that there were none available. On my Android phone, I have Version 4.2.0 and there are no updates to this available on the Google Play Store.

[AAA]

I should have mentioned that I'm using the app on an Apple laptop.

[MrJedi]

Symantec VIP is just a wrapped form of TOTP codes (like QR code authenticators). Once it's established, there are no updates needed. The codes are generated based on time and standardized algorithm that will never change.

[AAA]

Symantec VIP is just a wrapped form of TOTP codes (like QR code authenticators). Once it's established, there are no updates needed.

That's reassuring. Thanks.

[gavinsiu]

I am using version 4.3.3 on IOS. I am doubtful that it needs to be updated often since it's just a TOTP app.

[Northern Flicker]

There could be a future beneficial update, such as support for requiring a fingerprint to open the app, which seems to be lacking. Fidelity has announced that they will support the open TOTP standard and FIDO2 with Yubikeys soon in any case.

[JohnSlackII]

Fidelity has announced that they will support the open TOTP standard and FIDO2 with Yubikeys soon in any case.

Can you post a link to that announcement? I can't find anything in a quick Google search. Thanks.

[Northern Flicker]

Login to fidelity.com and you should be able to find info, or call Fidelity.

[yolointopants]

Login to fidelity.com and you should be able to find info, or call Fidelity.

Not seeing anything on Fidelity.com. I'm looking at all the options here (https://www.fidelity.com/security/extra-security-login) and finding no mention of anything except SMS/Phone and VIP. Is there another link or location to check?

[Northern Flicker]

I believe they may have had a login message about it in the past. Here is a past thread that mentioned it:

viewtopic.php?t=402749

[JohnSlackII]

I believe they may have had a login message about it in the past. Here is a past thread that mentioned it:

viewtopic.php?t=402749

That’s a random statement from a random Fidelity employee. Certainly not a Fidelity announcement.

I can’t find any other discussion online about this. Actually that bogleheads thread was the #2 result for one of my searches.

[ikowik]

I remember seeing a statement on the log in page that new security measures are coming, without specifying anything further. This was 3-4 months ago.
Then the message disappeared. Not sure why, but that coincided with a few weeks when Fidelity online services had several outages. Maybe the proposed changes crashed the site and were withdrawn?

I do not remember any specific mention of Fido2.

[Northern Flicker]

I believe they may have had a login message about it in the past. Here is a past thread that mentioned it:

viewtopic.php?t=402749

That’s a random statement from a random Fidelity employee. Certainly not a Fidelity announcement.

I can’t find any other discussion online about this. Actually that bogleheads thread was the #2 result for one of my searches.

That's why I suggested calling Fidelity to ask. They, not we, have the info.

[StewedCarrot]

I have version 4.3.3 of Symantec VIP on iOS.

Fidelity also has another way of doing MFA using text messaging. It is not as secure as an app-based approach and I am not sure why it is even offered.

I don't trust Symantec any more than SMS and will not use their TOTP generator.

It baffles me that Fidelity still does not support hardware keys in 2023.

[beyou]

I have version 4.3.3 of Symantec VIP on iOS.

Fidelity also has another way of doing MFA using text messaging. It is not as secure as an app-based approach and I am not sure why it is even offered.

I don't trust Symantec any more than SMS and will not use their TOTP generator.

It baffles me that Fidelity still does not support hardware keys in 2023.

Vanguard allows hardware key but most don't choose to use it.
I wish Vanguard allowed TOTP, I used Symantec with Etrade for years.
Are you saying somehow Symantec's implementation of TOTP is worse than Google, Microsoft and the many others ? If so why ?
I found it stable and reliable over many years with Etrade.

[Northern Flicker]

I have version 4.3.3 of Symantec VIP on iOS.

Fidelity also has another way of doing MFA using text messaging. It is not as secure as an app-based approach and I am not sure why it is even offered.

I don't trust Symantec any more than SMS.

Why not?

[Northern Flicker]

I have version 4.3.3 of Symantec VIP on iOS.

Fidelity also has another way of doing MFA using text messaging. It is not as secure as an app-based approach and I am not sure why it is even offered.

I don't trust Symantec any more than SMS and will not use their TOTP generator.

It baffles me that Fidelity still does not support hardware keys in 2023.

Vanguard allows hardware key but most don't choose to use it.
I wish Vanguard allowed TOTP, I used Symantec with Etrade for years.
Are you saying somehow Symantec's implementation of TOTP is worse than Google, Microsoft and the many others ? If so why ?
I found it stable and reliable over many years with Etrade.

The Symantec app on a phone should require a fingerprint to open. And I think Fidelity should not authenticate password resets with TOTP codes.

[SteveInNJ]

I have version 4.3.3 of Symantec VIP on iOS.

Fidelity also has another way of doing MFA using text messaging. It is not as secure as an app-based approach and I am not sure why it is even offered.

I don't trust Symantec any more than SMS and will not use their TOTP generator.

It baffles me that Fidelity still does not support hardware keys in 2023.

Vanguard allows hardware key but most don't choose to use it.
I wish Vanguard allowed TOTP, I used Symantec with Etrade for years.
Are you saying somehow Symantec's implementation of TOTP is worse than Google, Microsoft and the many others ? If so why ?
I found it stable and reliable over many years with Etrade.

I refused to set up yet another app for OTP when I went to ETrade and had to use Symantec's VIP. I found this and it worked flawlessly:

https://github.com/dlenski/python-vipaccess

[Northern Flicker]

It will work, but means following a procedure not supported or vetted by the service provider. Relative to the quite trivial inconvenience of having a 2nd TOTP app for Symantec, it does not seem to be worth the risk if there is a breach, and the provider challenges the procedures you are using.

[typical.investor]

I have version 4.3.3 of Symantec VIP on iOS.

Fidelity also has another way of doing MFA using text messaging. It is not as secure as an app-based approach and I am not sure why it is even offered.

I don't trust Symantec any more than SMS and will not use their TOTP generator.

It baffles me that Fidelity still does not support hardware keys in 2023.

Vanguard allows hardware key but most don't choose to use it.
I wish Vanguard allowed TOTP, I used Symantec with Etrade for years.
Are you saying somehow Symantec's implementation of TOTP is worse than Google, Microsoft and the many others ? If so why ?
I found it stable and reliable over many years with Etrade.

I refused to set up yet another app for OTP when I went to ETrade and had to use Symantec's VIP. I found this and it worked flawlessly:

https://github.com/dlenski/python-vipaccess

From their notes:

As of May 17, 2020, python-vipaccess stopped working for provisioning new Symantec VIP Access tokens (which was its raison d'être).
As of May 27, 2020, it's working again.
It might stop working again. and we might not be able to get it to work again (see #39)

[midwest_bound]

I have version 4.3.3 of Symantec VIP on iOS.

Fidelity also has another way of doing MFA using text messaging. It is not as secure as an app-based approach and I am not sure why it is even offered.

I don't trust Symantec any more than SMS and will not use their TOTP generator.

It baffles me that Fidelity still does not support hardware keys in 2023.

Vanguard allows hardware key but most don't choose to use it.
I wish Vanguard allowed TOTP, I used Symantec with Etrade for years.
Are you saying somehow Symantec's implementation of TOTP is worse than Google, Microsoft and the many others ? If so why ?
I found it stable and reliable over many years with Etrade.

I refused to set up yet another app for OTP when I went to ETrade and had to use Symantec's VIP. I found this and it worked flawlessly:

https://github.com/dlenski/python-vipaccess

From their notes:

As of May 17, 2020, python-vipaccess stopped working for provisioning new Symantec VIP Access tokens (which was its raison d'être).
As of May 27, 2020, it's working again.
It might stop working again. and we might not be able to get it to work again (see #39)

The big thing to note here is that it briefly didn’t work for *new* tokens. It’s inconceivable that it will ever quit working for old codes because the algorithm for generating is static and will not change.

[SteveInNJ]

I don't trust Symantec any more than SMS and will not use their TOTP generator.

It baffles me that Fidelity still does not support hardware keys in 2023.

Vanguard allows hardware key but most don't choose to use it.
I wish Vanguard allowed TOTP, I used Symantec with Etrade for years.
Are you saying somehow Symantec's implementation of TOTP is worse than Google, Microsoft and the many others ? If so why ?
I found it stable and reliable over many years with Etrade.

I refused to set up yet another app for OTP when I went to ETrade and had to use Symantec's VIP. I found this and it worked flawlessly:

https://github.com/dlenski/python-vipaccess

From their notes:

As of May 17, 2020, python-vipaccess stopped working for provisioning new Symantec VIP Access tokens (which was its raison d'être).
As of May 27, 2020, it's working again.
It might stop working again. and we might not be able to get it to work again (see #39)

The big thing to note here is that it briefly didn’t work for *new* tokens. It’s inconceivable that it will ever quit working for old codes because the algorithm for generating is static and will not change.

Correct. I generated a TOPT token and stuck it in Authy sometime in 2021 for ETrade. It still works.

[midwest_bound]

Vanguard allows hardware key but most don't choose to use it.
I wish Vanguard allowed TOTP, I used Symantec with Etrade for years.
Are you saying somehow Symantec's implementation of TOTP is worse than Google, Microsoft and the many others ? If so why ?
I found it stable and reliable over many years with Etrade.

I refused to set up yet another app for OTP when I went to ETrade and had to use Symantec's VIP. I found this and it worked flawlessly:

https://github.com/dlenski/python-vipaccess

From their notes:

As of May 17, 2020, python-vipaccess stopped working for provisioning new Symantec VIP Access tokens (which was its raison d'être).
As of May 27, 2020, it's working again.
It might stop working again. and we might not be able to get it to work again (see #39)

The big thing to note here is that it briefly didn’t work for *new* tokens. It’s inconceivable that it will ever quit working for old codes because the algorithm for generating is static and will not change.

Correct. I generated a TOPT token and stuck it in Authy sometime in 2021 for ETrade. It still works.

Same! I am firmly against installing yet another app!

[Laundry_Service]

I have also been using the VIP converter for years and currently using OTP Auth for my phone and desktop.

[dual]

Fidelity does support a hardware token. I use it instead of the app on my cell phone. Works great



Here’s a discussion about it on Harry Sit’s “the finance buff”

https://thefinancebuff.com/security-har ... ware-token

Edit. This also works at Schwab and E-trade.

[Northern Flicker]

Is the Symantec hard token pin protected? The 2FA token can be used to reset a password, so is a single point of compromise.

[dual]

Is the Symantec hard token pin protected? The 2FA token can be used to reset a password, so is a single point of compromise.

A criminal would need my username and password and the hardware token. This is three points of compromise?

[TheRoundHeadedKid]

Is the Symantec hard token pin protected? The 2FA token can be used to reset a password, so is a single point of compromise.

A criminal would need my username and password and the hardware token. This is three points of compromise?

Actually two. Username and password together are considered single factor authentication.

[volstagg]

The Symantec app on a phone should require a fingerprint to open.

I am not sure I see this as a deal breaking weakness, honestly. If my phone is locked and requires biometrics or password to open, the only avenue of attack not having a lock on the Symantec app directly is, if someone steals my phone out of my hand while I am using it then they could get the 2FA code. Which means they would have to be targeting me (know I was a Fidelity customer, know my schedule, already have other personal information on me, etc).

Sure, it would be nice if it had an additional security lock on the app itself, but choosing to not use a TOTP 2FA solution over no 2FA or just SMS 2FA, just because they don't add an additional layer on the app seems a little silly.

And I think Fidelity should not authenticate password resets with TOTP codes.

I am not sure why they shouldn't? They should use every/all information they have on me to verify me.

While I have never called Fidelity to reset my password, I have called to swap Symantec VIP tokens. I switched from using the actual VIP app to using the python method several years ago, Fidelity didn't just trust the VIP code on my phone to make the swap. While they used the code to verify me, they also used their voice verification system, sent a 2nd SMS code to my phone and they used other personal information they had on file about me, all before they would allow the change. I imagine it would be similar for a password reset.

[Dottie57]

There could be a future beneficial update, such as support for requiring a fingerprint to open the app, which seems to be lacking. Fidelity has announced that they will support the open TOTP standard and FIDO2 with Yubikeys soon in any case.

Wow! Thanks for that! I prefer a physical token.

[Northern Flicker]

Is the Symantec hard token pin protected? The 2FA token can be used to reset a password, so is a single point of compromise.

A criminal would need my username and password and the hardware token. This is three points of compromise?

The web site has a forgot username link and the forgot password link uses a Symantec code for authentication. The Symantec code is the only robust authentication in all of that. A hard token may not be lost with any other identifying info, in which case it will not be useful. But best practice is for the password security domain and 2FA security domain not to overlap, and using 2FA to authenticate password resets violates that.

I'm not saying that using the hard Symantec token is weak encryption, but that it is not perfect. Using an authenticator app on a phone has different issues. It is not air gapped from the internet so a compromise of the phone could compromise it. And if you maintain or read a password safe on the phone or login to the service from the phone, that would violate the separation.

[chance]

Another option I haven't seen mentioned is that Fidelity also supports 2FA through its mobile app. When logging in online Fidelity pushes a notification to my app and I have to use a fingerprint and confirm that it's me accessing the account. I have this set as default for 2FA. My gripe with Fidelity is that I'd like to be able to use a OTP authenticator as a backup when the app push notification doesn't work (rarely occurs but does happen). Currently, to have a backup I have to use text based OTP which is not ideal.

[Northern Flicker]

How is the mobile app login authenticated?

[dual]

Is the Symantec hard token pin protected? The 2FA token can be used to reset a password, so is a single point of compromise.

A criminal would need my username and password and the hardware token. This is three points of compromise?

The web site has a forgot username link and the forgot password link uses a Symantec code for authentication. The Symantec code is the only robust authentication in all of that. A hard token may not be lost with any other identifying info, in which case it will not be useful. But best practice is for the password security domain and 2FA security domain not to overlap, and using 2FA to authenticate password resets violates that.

I'm not saying that using the hard Symantec token is weak encryption, but that it is not perfect. Using an authenticator app on a phone has different issues. It is not air gapped from the internet so a compromise of the phone could compromise it. And if you maintain or read a password safe on the phone or login to the service from the phone, that would violate the separation.

It is not as easy to change the user name and password as you portray it. As I understand it, Fidelity requires you to call in and give personal information and receive text messages at the telephone number associated with the account. In addition, I have set up alerts as have many others for all changes like this to be notified to the email address of record on my account. If a criminal did attempt to change the username and password, I would know about it immediately and I could call in to freeze the account.

Harry Sit mentions that the lost username and password is a vulnerable point, but it’s not as bad as you portray it.

[chance]

How is the mobile app login authenticated?

Biometrics, fingerprint. So someone would have to (1) get physical possession of my device, (2) access the device, and (3) access the app with biometrics.

[Northern Flicker]

Is the Symantec hard token pin protected? The 2FA token can be used to reset a password, so is a single point of compromise.

A criminal would need my username and password and the hardware token. This is three points of compromise?

The web site has a forgot username link and the forgot password link uses a Symantec code for authentication. The Symantec code is the only robust authentication in all of that. A hard token may not be lost with any other identifying info, in which case it will not be useful. But best practice is for the password security domain and 2FA security domain not to overlap, and using 2FA to authenticate password resets violates that.

I'm not saying that using the hard Symantec token is weak encryption, but that it is not perfect. Using an authenticator app on a phone has different issues. It is not air gapped from the internet so a compromise of the phone could compromise it. And if you maintain or read a password safe on the phone or login to the service from the phone, that would violate the separation.

It is not as easy to change the user name and password as you portray it. As I understand it, Fidelity requires you to call in and give personal information and receive text messages at the telephone number associated with the account. .

You don't have to change the user name, just retrieve it. And I've never had to call in to Fidelity to reset a password.

[Northern Flicker]

How is the mobile app login authenticated?

Biometrics, fingerprint. So someone would have to (1) get physical possession of my device, (2) access the device, and (3) access the app with biometrics.

The fingerprint is how you authenticate to the phone to get access to an app login session already established, not how you authenticate to Fidelity with the app. Establishing the initial connection with the app cannot use the app message 2FA method or a fingerprint. However you authenticated to Fidelity with the app can be repeated in a different session if not designed properly.

[Northern Flicker]

I think you would need to secure the app login with a 2FA mechanism like the Symantec VIP app or token, at which point you would use that for a web login.

[dcabler]

Another option I haven't seen mentioned is that Fidelity also supports 2FA through its mobile app. When logging in online Fidelity pushes a notification to my app and I have to use a fingerprint and confirm that it's me accessing the account. I have this set as default for 2FA. My gripe with Fidelity is that I'd like to be able to use a OTP authenticator as a backup when the app push notification doesn't work (rarely occurs but does happen). Currently, to have a backup I have to use text based OTP which is not ideal.

Yeah, I've noticed that as well. What happens is that I switch to SMS for 2FA and, sure enough, about 5 minutes after I log in, I get the notification from the app on my phone for app based 2FA.

Cheers.

[dual]

Northflicker wrote:

You don't have to change the user name, just retrieve it. And I've never had to call in to Fidelity to reset a password.

You have been able to change the password without having the old one without calling in?

[Northern Flicker]

Yes. Before I set up SVIP it used email to authenticate the reset. Perhaps Fidelity changed the reset process to require a call in because their password reset procedure was a significant weakness before. If so, that is good.

[VictorStarr]

Northflicker wrote:

You don't have to change the user name, just retrieve it. And I've never had to call in to Fidelity to reset a password.

You have been able to change the password without having the old one without calling in?

I year ago I reset username and password at Fidelity, Schwab, Vanguard, E*Trade and Merrill Edge. At that time no brokerage required to call customer support. Fidelity required basic info and access to email and Symantec VIP to reset password.

I described my experience in this thread:
viewtopic.php?t=385253

[lws]

OP,
Keep using it.
It does the job.

[Northern Flicker]

Another option I haven't seen mentioned is that Fidelity also supports 2FA through its mobile app. When logging in online Fidelity pushes a notification to my app and I have to use a fingerprint and confirm that it's me accessing the account. I have this set as default for 2FA. My gripe with Fidelity is that I'd like to be able to use a OTP authenticator as a backup when the app push notification doesn't work (rarely occurs but does happen). Currently, to have a backup I have to use text based OTP which is not ideal.

Yeah, I've noticed that as well. What happens is that I switch to SMS for 2FA and, sure enough, about 5 minutes after I log in, I get the notification from the app on my phone for app based 2FA.

Cheers.

So the app notification is activated after you login using some other authentication method so that subsequent logins use the app push notification.

[Northern Flicker]

OP,
Keep using it.
It does the job.

It is a good method to use.

[dcabler]

Another option I haven't seen mentioned is that Fidelity also supports 2FA through its mobile app. When logging in online Fidelity pushes a notification to my app and I have to use a fingerprint and confirm that it's me accessing the account. I have this set as default for 2FA. My gripe with Fidelity is that I'd like to be able to use a OTP authenticator as a backup when the app push notification doesn't work (rarely occurs but does happen). Currently, to have a backup I have to use text based OTP which is not ideal.

Yeah, I've noticed that as well. What happens is that I switch to SMS for 2FA and, sure enough, about 5 minutes after I log in, I get the notification from the app on my phone for app based 2FA.

Cheers.

So the app notification is activated after you login using some other authentication method so that subsequent logins use the app push notification.

That doesn't make sense to me.

99% of the time I tell it to use the app push method and it goes through as planned in a few seconds. Other times I wait a few minutes and after not having received the app notification, I then try the "try a different method box" which is just SMS. It goes through, then a few minutes after that I get the app notification. My assumption has been that it was simply a long delay due to whatever...

Cheers.

[Northern Flicker]

You have to log in successfully by some method other than the app push to establish the app push. The app push does not protect that other method, which still would be available to attackers, and needs to be locked down by some method as well.