Using Symantec VIP Access at Fidelity

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills.
User avatar
Topic Author
AAA
Posts: 1824
Joined: Sat Jan 12, 2008 7:56 am

Using Symantec VIP Access at Fidelity

Post by AAA »

So I've been using this for several years and wanted to know if the version I have, 1.0.4, is current. The app itself doesn't have an update option. In its Help menu there is an FAQ option but my browser says it can't find the server. Digging into this, it appears that Broadcom acquired Symantec and is now NortonLifeLock. I went to Fidelity's website and it still talks about VIP Access. I clicked on the download button just to find out if it would tell me a current version number but the download page doesn't load.

I used VIP Access today with Fidelity so it's still working. I just wanted to stay up-to-date to avoid any possible future issues but there's no information readily available about this app.

Anyone know what the situation is?
BuddyJet
Posts: 1059
Joined: Mon Jun 24, 2019 8:56 pm

Re: Using Symantec VIP Access at Fidelity

Post by BuddyJet »

My app shows as Symantec VIP Access for Android version 4.2.0. No lifelock wording. Are you on Apple?
People say nothing is impossible. I do nothing all day.
investor4life
Posts: 512
Joined: Fri Oct 08, 2010 9:45 am

Re: Using Symantec VIP Access at Fidelity

Post by investor4life »

I have version 4.3.3 of Symantec VIP on iOS.

Fidelity also has another way of doing MFA using text messaging. It is not as secure as an app-based approach and I am not sure why it is even offered.
JayB
Posts: 552
Joined: Sat May 28, 2022 9:57 am

Re: Using Symantec VIP Access at Fidelity

Post by JayB »

On my Windows 10 machine, I have Version 2.2.4.44. When I clicked on "check for updates," it said that there were none available. On my Android phone, I have Version 4.2.0 and there are no updates to this available on the Google Play Store.
User avatar
Topic Author
AAA
Posts: 1824
Joined: Sat Jan 12, 2008 7:56 am

Re: Using Symantec VIP Access at Fidelity

Post by AAA »

I should have mentioned that I'm using the app on an Apple laptop.
MrJedi
Posts: 3530
Joined: Wed May 06, 2020 11:42 am

Re: Using Symantec VIP Access at Fidelity

Post by MrJedi »

Symantec VIP is just a wrapped form of TOTP codes (like QR code authenticators). Once it's established, there are no updates needed. The codes are generated based on time and standardized algorithm that will never change.
User avatar
Topic Author
AAA
Posts: 1824
Joined: Sat Jan 12, 2008 7:56 am

Re: Using Symantec VIP Access at Fidelity

Post by AAA »

MrJedi wrote: Tue Nov 14, 2023 5:26 pm Symantec VIP is just a wrapped form of TOTP codes (like QR code authenticators). Once it's established, there are no updates needed.
That's reassuring. Thanks.
gavinsiu
Posts: 3596
Joined: Sun Nov 14, 2021 11:42 am

Re: Using Symantec VIP Access at Fidelity

Post by gavinsiu »

I am using version 4.3.3 on IOS. I am doubtful that it needs to be updated often since it's just a TOTP app.
Northern Flicker
Posts: 14595
Joined: Fri Apr 10, 2015 12:29 am

Re: Using Symantec VIP Access at Fidelity

Post by Northern Flicker »

There could be a future beneficial update, such as support for requiring a fingerprint to open the app, which seems to be lacking. Fidelity has announced that they will support the open TOTP standard and FIDO2 with Yubikeys soon in any case.
JohnSlackII
Posts: 116
Joined: Mon Oct 09, 2023 9:08 am

Re: Using Symantec VIP Access at Fidelity

Post by JohnSlackII »

Northern Flicker wrote: Wed Nov 15, 2023 12:31 pm Fidelity has announced that they will support the open TOTP standard and FIDO2 with Yubikeys soon in any case.
Can you post a link to that announcement? I can't find anything in a quick Google search. Thanks.
Northern Flicker
Posts: 14595
Joined: Fri Apr 10, 2015 12:29 am

Re: Using Symantec VIP Access at Fidelity

Post by Northern Flicker »

Login to fidelity.com and you should be able to find info, or call Fidelity.
yolointopants
Posts: 147
Joined: Wed Jun 29, 2022 8:08 am

Re: Using Symantec VIP Access at Fidelity

Post by yolointopants »

Northern Flicker wrote: Thu Nov 16, 2023 2:46 pm Login to fidelity.com and you should be able to find info, or call Fidelity.
Not seeing anything on Fidelity.com. I'm looking at all the options here (https://www.fidelity.com/security/extra-security-login) and finding no mention of anything except SMS/Phone and VIP. Is there another link or location to check?
Northern Flicker
Posts: 14595
Joined: Fri Apr 10, 2015 12:29 am

Re: Using Symantec VIP Access at Fidelity

Post by Northern Flicker »

I believe they may have had a login message about it in the past. Here is a past thread that mentioned it:

viewtopic.php?t=402749
JohnSlackII
Posts: 116
Joined: Mon Oct 09, 2023 9:08 am

Re: Using Symantec VIP Access at Fidelity

Post by JohnSlackII »

Northern Flicker wrote: Sat Nov 18, 2023 2:46 am I believe they may have had a login message about it in the past. Here is a past thread that mentioned it:

viewtopic.php?t=402749
That’s a random statement from a random Fidelity employee. Certainly not a Fidelity announcement.

I can’t find any other discussion online about this. Actually that bogleheads thread was the #2 result for one of my searches.
ikowik
Posts: 383
Joined: Tue Dec 23, 2014 5:52 pm

Re: Using Symantec VIP Access at Fidelity

Post by ikowik »

I remember seeing a statement on the log in page that new security measures are coming, without specifying anything further. This was 3-4 months ago.
Then the message disappeared. Not sure why, but that coincided with a few weeks when Fidelity online services had several outages. Maybe the proposed changes crashed the site and were withdrawn?

I do not remember any specific mention of Fido2.
Northern Flicker
Posts: 14595
Joined: Fri Apr 10, 2015 12:29 am

Re: Using Symantec VIP Access at Fidelity

Post by Northern Flicker »

JohnSlackII wrote: Sat Nov 18, 2023 5:42 am
Northern Flicker wrote: Sat Nov 18, 2023 2:46 am I believe they may have had a login message about it in the past. Here is a past thread that mentioned it:

viewtopic.php?t=402749
That’s a random statement from a random Fidelity employee. Certainly not a Fidelity announcement.

I can’t find any other discussion online about this. Actually that bogleheads thread was the #2 result for one of my searches.
That's why I suggested calling Fidelity to ask. They, not we, have the info.
User avatar
StewedCarrot
Posts: 251
Joined: Sun Feb 09, 2020 12:34 pm

Re: Using Symantec VIP Access at Fidelity

Post by StewedCarrot »

investor4life wrote: Tue Nov 14, 2023 4:06 pm I have version 4.3.3 of Symantec VIP on iOS.

Fidelity also has another way of doing MFA using text messaging. It is not as secure as an app-based approach and I am not sure why it is even offered.
I don't trust Symantec any more than SMS and will not use their TOTP generator.

It baffles me that Fidelity still does not support hardware keys in 2023.
User avatar
beyou
Posts: 6276
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: Using Symantec VIP Access at Fidelity

Post by beyou »

StewedCarrot wrote: Sat Nov 18, 2023 1:32 pm
investor4life wrote: Tue Nov 14, 2023 4:06 pm I have version 4.3.3 of Symantec VIP on iOS.

Fidelity also has another way of doing MFA using text messaging. It is not as secure as an app-based approach and I am not sure why it is even offered.
I don't trust Symantec any more than SMS and will not use their TOTP generator.

It baffles me that Fidelity still does not support hardware keys in 2023.
Vanguard allows hardware key but most don't choose to use it.
I wish Vanguard allowed TOTP, I used Symantec with Etrade for years.
Are you saying somehow Symantec's implementation of TOTP is worse than Google, Microsoft and the many others ? If so why ?
I found it stable and reliable over many years with Etrade.
Northern Flicker
Posts: 14595
Joined: Fri Apr 10, 2015 12:29 am

Re: Using Symantec VIP Access at Fidelity

Post by Northern Flicker »

StewedCarrot wrote: Sat Nov 18, 2023 1:32 pm
investor4life wrote: Tue Nov 14, 2023 4:06 pm I have version 4.3.3 of Symantec VIP on iOS.

Fidelity also has another way of doing MFA using text messaging. It is not as secure as an app-based approach and I am not sure why it is even offered.
I don't trust Symantec any more than SMS.
Why not?
Northern Flicker
Posts: 14595
Joined: Fri Apr 10, 2015 12:29 am

Re: Using Symantec VIP Access at Fidelity

Post by Northern Flicker »

beyou wrote: Sun Nov 19, 2023 9:37 am
StewedCarrot wrote: Sat Nov 18, 2023 1:32 pm
investor4life wrote: Tue Nov 14, 2023 4:06 pm I have version 4.3.3 of Symantec VIP on iOS.

Fidelity also has another way of doing MFA using text messaging. It is not as secure as an app-based approach and I am not sure why it is even offered.
I don't trust Symantec any more than SMS and will not use their TOTP generator.

It baffles me that Fidelity still does not support hardware keys in 2023.
Vanguard allows hardware key but most don't choose to use it.
I wish Vanguard allowed TOTP, I used Symantec with Etrade for years.
Are you saying somehow Symantec's implementation of TOTP is worse than Google, Microsoft and the many others ? If so why ?
I found it stable and reliable over many years with Etrade.
The Symantec app on a phone should require a fingerprint to open. And I think Fidelity should not authenticate password resets with TOTP codes.
SteveInNJ
Posts: 60
Joined: Tue Dec 11, 2018 10:44 am

Re: Using Symantec VIP Access at Fidelity

Post by SteveInNJ »

beyou wrote: Sun Nov 19, 2023 9:37 am
StewedCarrot wrote: Sat Nov 18, 2023 1:32 pm
investor4life wrote: Tue Nov 14, 2023 4:06 pm I have version 4.3.3 of Symantec VIP on iOS.

Fidelity also has another way of doing MFA using text messaging. It is not as secure as an app-based approach and I am not sure why it is even offered.
I don't trust Symantec any more than SMS and will not use their TOTP generator.

It baffles me that Fidelity still does not support hardware keys in 2023.
Vanguard allows hardware key but most don't choose to use it.
I wish Vanguard allowed TOTP, I used Symantec with Etrade for years.
Are you saying somehow Symantec's implementation of TOTP is worse than Google, Microsoft and the many others ? If so why ?
I found it stable and reliable over many years with Etrade.
I refused to set up yet another app for OTP when I went to ETrade and had to use Symantec's VIP. I found this and it worked flawlessly:

https://github.com/dlenski/python-vipaccess
Northern Flicker
Posts: 14595
Joined: Fri Apr 10, 2015 12:29 am

Re: Using Symantec VIP Access at Fidelity

Post by Northern Flicker »

It will work, but means following a procedure not supported or vetted by the service provider. Relative to the quite trivial inconvenience of having a 2nd TOTP app for Symantec, it does not seem to be worth the risk if there is a breach, and the provider challenges the procedures you are using.
User avatar
typical.investor
Posts: 4924
Joined: Mon Jun 11, 2018 3:17 am

Re: Using Symantec VIP Access at Fidelity

Post by typical.investor »

SteveInNJ wrote: Sun Nov 19, 2023 2:08 pm
beyou wrote: Sun Nov 19, 2023 9:37 am
StewedCarrot wrote: Sat Nov 18, 2023 1:32 pm
investor4life wrote: Tue Nov 14, 2023 4:06 pm I have version 4.3.3 of Symantec VIP on iOS.

Fidelity also has another way of doing MFA using text messaging. It is not as secure as an app-based approach and I am not sure why it is even offered.
I don't trust Symantec any more than SMS and will not use their TOTP generator.

It baffles me that Fidelity still does not support hardware keys in 2023.
Vanguard allows hardware key but most don't choose to use it.
I wish Vanguard allowed TOTP, I used Symantec with Etrade for years.
Are you saying somehow Symantec's implementation of TOTP is worse than Google, Microsoft and the many others ? If so why ?
I found it stable and reliable over many years with Etrade.
I refused to set up yet another app for OTP when I went to ETrade and had to use Symantec's VIP. I found this and it worked flawlessly:

https://github.com/dlenski/python-vipaccess
From their notes:

As of May 17, 2020, python-vipaccess stopped working for provisioning new Symantec VIP Access tokens (which was its raison d'être).
As of May 27, 2020, it's working again.
It might stop working again. and we might not be able to get it to work again (see #39)
midwest_bound
Posts: 81
Joined: Thu Oct 13, 2022 1:46 pm

Re: Using Symantec VIP Access at Fidelity

Post by midwest_bound »

typical.investor wrote: Sun Nov 19, 2023 4:47 pm
SteveInNJ wrote: Sun Nov 19, 2023 2:08 pm
beyou wrote: Sun Nov 19, 2023 9:37 am
StewedCarrot wrote: Sat Nov 18, 2023 1:32 pm
investor4life wrote: Tue Nov 14, 2023 4:06 pm I have version 4.3.3 of Symantec VIP on iOS.

Fidelity also has another way of doing MFA using text messaging. It is not as secure as an app-based approach and I am not sure why it is even offered.
I don't trust Symantec any more than SMS and will not use their TOTP generator.

It baffles me that Fidelity still does not support hardware keys in 2023.
Vanguard allows hardware key but most don't choose to use it.
I wish Vanguard allowed TOTP, I used Symantec with Etrade for years.
Are you saying somehow Symantec's implementation of TOTP is worse than Google, Microsoft and the many others ? If so why ?
I found it stable and reliable over many years with Etrade.
I refused to set up yet another app for OTP when I went to ETrade and had to use Symantec's VIP. I found this and it worked flawlessly:

https://github.com/dlenski/python-vipaccess
From their notes:

As of May 17, 2020, python-vipaccess stopped working for provisioning new Symantec VIP Access tokens (which was its raison d'être).
As of May 27, 2020, it's working again.
It might stop working again. and we might not be able to get it to work again (see #39)
The big thing to note here is that it briefly didn’t work for *new* tokens. It’s inconceivable that it will ever quit working for old codes because the algorithm for generating is static and will not change.
SteveInNJ
Posts: 60
Joined: Tue Dec 11, 2018 10:44 am

Re: Using Symantec VIP Access at Fidelity

Post by SteveInNJ »

midwest_bound wrote: Sun Nov 19, 2023 4:53 pm
typical.investor wrote: Sun Nov 19, 2023 4:47 pm
SteveInNJ wrote: Sun Nov 19, 2023 2:08 pm
beyou wrote: Sun Nov 19, 2023 9:37 am
StewedCarrot wrote: Sat Nov 18, 2023 1:32 pm

I don't trust Symantec any more than SMS and will not use their TOTP generator.

It baffles me that Fidelity still does not support hardware keys in 2023.
Vanguard allows hardware key but most don't choose to use it.
I wish Vanguard allowed TOTP, I used Symantec with Etrade for years.
Are you saying somehow Symantec's implementation of TOTP is worse than Google, Microsoft and the many others ? If so why ?
I found it stable and reliable over many years with Etrade.
I refused to set up yet another app for OTP when I went to ETrade and had to use Symantec's VIP. I found this and it worked flawlessly:

https://github.com/dlenski/python-vipaccess
From their notes:

As of May 17, 2020, python-vipaccess stopped working for provisioning new Symantec VIP Access tokens (which was its raison d'être).
As of May 27, 2020, it's working again.
It might stop working again. and we might not be able to get it to work again (see #39)
The big thing to note here is that it briefly didn’t work for *new* tokens. It’s inconceivable that it will ever quit working for old codes because the algorithm for generating is static and will not change.
Correct. I generated a TOPT token and stuck it in Authy sometime in 2021 for ETrade. It still works.
midwest_bound
Posts: 81
Joined: Thu Oct 13, 2022 1:46 pm

Re: Using Symantec VIP Access at Fidelity

Post by midwest_bound »

SteveInNJ wrote: Mon Nov 20, 2023 9:47 am
midwest_bound wrote: Sun Nov 19, 2023 4:53 pm
typical.investor wrote: Sun Nov 19, 2023 4:47 pm
SteveInNJ wrote: Sun Nov 19, 2023 2:08 pm
beyou wrote: Sun Nov 19, 2023 9:37 am

Vanguard allows hardware key but most don't choose to use it.
I wish Vanguard allowed TOTP, I used Symantec with Etrade for years.
Are you saying somehow Symantec's implementation of TOTP is worse than Google, Microsoft and the many others ? If so why ?
I found it stable and reliable over many years with Etrade.
I refused to set up yet another app for OTP when I went to ETrade and had to use Symantec's VIP. I found this and it worked flawlessly:

https://github.com/dlenski/python-vipaccess
From their notes:

As of May 17, 2020, python-vipaccess stopped working for provisioning new Symantec VIP Access tokens (which was its raison d'être).
As of May 27, 2020, it's working again.
It might stop working again. and we might not be able to get it to work again (see #39)
The big thing to note here is that it briefly didn’t work for *new* tokens. It’s inconceivable that it will ever quit working for old codes because the algorithm for generating is static and will not change.
Correct. I generated a TOPT token and stuck it in Authy sometime in 2021 for ETrade. It still works.
Same! I am firmly against installing yet another app!
Laundry_Service
Posts: 383
Joined: Wed Sep 15, 2010 11:52 am

Re: Using Symantec VIP Access at Fidelity

Post by Laundry_Service »

I have also been using the VIP converter for years and currently using OTP Auth for my phone and desktop.
User avatar
dual
Posts: 1349
Joined: Mon Feb 26, 2007 6:02 pm

Re: Using Symantec VIP Access at Fidelity

Post by dual »

Fidelity does support a hardware token. I use it instead of the app on my cell phone. Works great

Image

Here’s a discussion about it on Harry Sit’s “the finance buff”

https://thefinancebuff.com/security-har ... ware-token

Edit. This also works at Schwab and E-trade.
Northern Flicker
Posts: 14595
Joined: Fri Apr 10, 2015 12:29 am

Re: Using Symantec VIP Access at Fidelity

Post by Northern Flicker »

Is the Symantec hard token pin protected? The 2FA token can be used to reset a password, so is a single point of compromise.
User avatar
dual
Posts: 1349
Joined: Mon Feb 26, 2007 6:02 pm

Re: Using Symantec VIP Access at Fidelity

Post by dual »

Northern Flicker wrote: Tue Nov 21, 2023 4:41 pm Is the Symantec hard token pin protected? The 2FA token can be used to reset a password, so is a single point of compromise.
A criminal would need my username and password and the hardware token. This is three points of compromise?
User avatar
TheRoundHeadedKid
Posts: 204
Joined: Thu Aug 10, 2023 11:28 pm

Re: Using Symantec VIP Access at Fidelity

Post by TheRoundHeadedKid »

dual wrote: Tue Nov 21, 2023 7:15 pm
Northern Flicker wrote: Tue Nov 21, 2023 4:41 pm Is the Symantec hard token pin protected? The 2FA token can be used to reset a password, so is a single point of compromise.
A criminal would need my username and password and the hardware token. This is three points of compromise?
Actually two. Username and password together are considered single factor authentication.
All 82 Vanguard ETFs equally invested. Each payday, sort their balance in ascending order then buy a share starting from top until out of cash.
volstagg
Posts: 182
Joined: Tue Feb 01, 2022 7:28 am

Re: Using Symantec VIP Access at Fidelity

Post by volstagg »

Northern Flicker wrote: Sun Nov 19, 2023 2:06 pm The Symantec app on a phone should require a fingerprint to open.
I am not sure I see this as a deal breaking weakness, honestly. If my phone is locked and requires biometrics or password to open, the only avenue of attack not having a lock on the Symantec app directly is, if someone steals my phone out of my hand while I am using it then they could get the 2FA code. Which means they would have to be targeting me (know I was a Fidelity customer, know my schedule, already have other personal information on me, etc).

Sure, it would be nice if it had an additional security lock on the app itself, but choosing to not use a TOTP 2FA solution over no 2FA or just SMS 2FA, just because they don't add an additional layer on the app seems a little silly.
And I think Fidelity should not authenticate password resets with TOTP codes.
I am not sure why they shouldn't? They should use every/all information they have on me to verify me.

While I have never called Fidelity to reset my password, I have called to swap Symantec VIP tokens. I switched from using the actual VIP app to using the python method several years ago, Fidelity didn't just trust the VIP code on my phone to make the swap. While they used the code to verify me, they also used their voice verification system, sent a 2nd SMS code to my phone and they used other personal information they had on file about me, all before they would allow the change. I imagine it would be similar for a password reset.
Dottie57
Posts: 12070
Joined: Thu May 19, 2016 5:43 pm
Location: Earth Northern Hemisphere

Re: Using Symantec VIP Access at Fidelity

Post by Dottie57 »

Northern Flicker wrote: Wed Nov 15, 2023 12:31 pm There could be a future beneficial update, such as support for requiring a fingerprint to open the app, which seems to be lacking. Fidelity has announced that they will support the open TOTP standard and FIDO2 with Yubikeys soon in any case.
Wow! Thanks for that! I prefer a physical token.
Northern Flicker
Posts: 14595
Joined: Fri Apr 10, 2015 12:29 am

Re: Using Symantec VIP Access at Fidelity

Post by Northern Flicker »

dual wrote: Tue Nov 21, 2023 7:15 pm
Northern Flicker wrote: Tue Nov 21, 2023 4:41 pm Is the Symantec hard token pin protected? The 2FA token can be used to reset a password, so is a single point of compromise.
A criminal would need my username and password and the hardware token. This is three points of compromise?
The web site has a forgot username link and the forgot password link uses a Symantec code for authentication. The Symantec code is the only robust authentication in all of that. A hard token may not be lost with any other identifying info, in which case it will not be useful. But best practice is for the password security domain and 2FA security domain not to overlap, and using 2FA to authenticate password resets violates that.

I'm not saying that using the hard Symantec token is weak encryption, but that it is not perfect. Using an authenticator app on a phone has different issues. It is not air gapped from the internet so a compromise of the phone could compromise it. And if you maintain or read a password safe on the phone or login to the service from the phone, that would violate the separation.
chance
Posts: 114
Joined: Mon Jun 11, 2007 9:55 pm

Re: Using Symantec VIP Access at Fidelity

Post by chance »

Another option I haven't seen mentioned is that Fidelity also supports 2FA through its mobile app. When logging in online Fidelity pushes a notification to my app and I have to use a fingerprint and confirm that it's me accessing the account. I have this set as default for 2FA. My gripe with Fidelity is that I'd like to be able to use a OTP authenticator as a backup when the app push notification doesn't work (rarely occurs but does happen). Currently, to have a backup I have to use text based OTP which is not ideal.
Northern Flicker
Posts: 14595
Joined: Fri Apr 10, 2015 12:29 am

Re: Using Symantec VIP Access at Fidelity

Post by Northern Flicker »

How is the mobile app login authenticated?
User avatar
dual
Posts: 1349
Joined: Mon Feb 26, 2007 6:02 pm

Re: Using Symantec VIP Access at Fidelity

Post by dual »

Northern Flicker wrote: Wed Nov 22, 2023 5:48 pm
dual wrote: Tue Nov 21, 2023 7:15 pm
Northern Flicker wrote: Tue Nov 21, 2023 4:41 pm Is the Symantec hard token pin protected? The 2FA token can be used to reset a password, so is a single point of compromise.
A criminal would need my username and password and the hardware token. This is three points of compromise?
The web site has a forgot username link and the forgot password link uses a Symantec code for authentication. The Symantec code is the only robust authentication in all of that. A hard token may not be lost with any other identifying info, in which case it will not be useful. But best practice is for the password security domain and 2FA security domain not to overlap, and using 2FA to authenticate password resets violates that.

I'm not saying that using the hard Symantec token is weak encryption, but that it is not perfect. Using an authenticator app on a phone has different issues. It is not air gapped from the internet so a compromise of the phone could compromise it. And if you maintain or read a password safe on the phone or login to the service from the phone, that would violate the separation.
It is not as easy to change the user name and password as you portray it. As I understand it, Fidelity requires you to call in and give personal information and receive text messages at the telephone number associated with the account. In addition, I have set up alerts as have many others for all changes like this to be notified to the email address of record on my account. If a criminal did attempt to change the username and password, I would know about it immediately and I could call in to freeze the account.

Harry Sit mentions that the lost username and password is a vulnerable point, but it’s not as bad as you portray it.
chance
Posts: 114
Joined: Mon Jun 11, 2007 9:55 pm

Re: Using Symantec VIP Access at Fidelity

Post by chance »

Northern Flicker wrote: Wed Nov 22, 2023 9:55 pm How is the mobile app login authenticated?
Biometrics, fingerprint. So someone would have to (1) get physical possession of my device, (2) access the device, and (3) access the app with biometrics.
Northern Flicker
Posts: 14595
Joined: Fri Apr 10, 2015 12:29 am

Re: Using Symantec VIP Access at Fidelity

Post by Northern Flicker »

dual wrote: Thu Nov 23, 2023 10:15 am
Northern Flicker wrote: Wed Nov 22, 2023 5:48 pm
dual wrote: Tue Nov 21, 2023 7:15 pm
Northern Flicker wrote: Tue Nov 21, 2023 4:41 pm Is the Symantec hard token pin protected? The 2FA token can be used to reset a password, so is a single point of compromise.
A criminal would need my username and password and the hardware token. This is three points of compromise?
The web site has a forgot username link and the forgot password link uses a Symantec code for authentication. The Symantec code is the only robust authentication in all of that. A hard token may not be lost with any other identifying info, in which case it will not be useful. But best practice is for the password security domain and 2FA security domain not to overlap, and using 2FA to authenticate password resets violates that.

I'm not saying that using the hard Symantec token is weak encryption, but that it is not perfect. Using an authenticator app on a phone has different issues. It is not air gapped from the internet so a compromise of the phone could compromise it. And if you maintain or read a password safe on the phone or login to the service from the phone, that would violate the separation.
It is not as easy to change the user name and password as you portray it. As I understand it, Fidelity requires you to call in and give personal information and receive text messages at the telephone number associated with the account. .
You don't have to change the user name, just retrieve it. And I've never had to call in to Fidelity to reset a password.
Northern Flicker
Posts: 14595
Joined: Fri Apr 10, 2015 12:29 am

Re: Using Symantec VIP Access at Fidelity

Post by Northern Flicker »

chance wrote: Thu Nov 23, 2023 10:42 am
Northern Flicker wrote: Wed Nov 22, 2023 9:55 pm How is the mobile app login authenticated?
Biometrics, fingerprint. So someone would have to (1) get physical possession of my device, (2) access the device, and (3) access the app with biometrics.
The fingerprint is how you authenticate to the phone to get access to an app login session already established, not how you authenticate to Fidelity with the app. Establishing the initial connection with the app cannot use the app message 2FA method or a fingerprint. However you authenticated to Fidelity with the app can be repeated in a different session if not designed properly.
Northern Flicker
Posts: 14595
Joined: Fri Apr 10, 2015 12:29 am

Re: Using Symantec VIP Access at Fidelity

Post by Northern Flicker »

I think you would need to secure the app login with a 2FA mechanism like the Symantec VIP app or token, at which point you would use that for a web login.
dcabler
Posts: 4049
Joined: Wed Feb 19, 2014 10:30 am

Re: Using Symantec VIP Access at Fidelity

Post by dcabler »

chance wrote: Wed Nov 22, 2023 7:29 pm Another option I haven't seen mentioned is that Fidelity also supports 2FA through its mobile app. When logging in online Fidelity pushes a notification to my app and I have to use a fingerprint and confirm that it's me accessing the account. I have this set as default for 2FA. My gripe with Fidelity is that I'd like to be able to use a OTP authenticator as a backup when the app push notification doesn't work (rarely occurs but does happen). Currently, to have a backup I have to use text based OTP which is not ideal.
Yeah, I've noticed that as well. What happens is that I switch to SMS for 2FA and, sure enough, about 5 minutes after I log in, I get the notification from the app on my phone for app based 2FA.

Cheers.
User avatar
dual
Posts: 1349
Joined: Mon Feb 26, 2007 6:02 pm

Re: Using Symantec VIP Access at Fidelity

Post by dual »

Northflicker wrote:
You don't have to change the user name, just retrieve it. And I've never had to call in to Fidelity to reset a password.
You have been able to change the password without having the old one without calling in?
Northern Flicker
Posts: 14595
Joined: Fri Apr 10, 2015 12:29 am

Re: Using Symantec VIP Access at Fidelity

Post by Northern Flicker »

Yes. Before I set up SVIP it used email to authenticate the reset. Perhaps Fidelity changed the reset process to require a call in because their password reset procedure was a significant weakness before. If so, that is good.
User avatar
VictorStarr
Posts: 701
Joined: Sat Jan 04, 2020 9:13 pm
Location: Washington

Re: Using Symantec VIP Access at Fidelity

Post by VictorStarr »

dual wrote: Fri Nov 24, 2023 10:36 am Northflicker wrote:
You don't have to change the user name, just retrieve it. And I've never had to call in to Fidelity to reset a password.
You have been able to change the password without having the old one without calling in?

I year ago I reset username and password at Fidelity, Schwab, Vanguard, E*Trade and Merrill Edge. At that time no brokerage required to call customer support. Fidelity required basic info and access to email and Symantec VIP to reset password.

I described my experience in this thread:
viewtopic.php?t=385253
lws
Posts: 769
Joined: Tue Apr 25, 2017 6:12 pm

Re: Using Symantec VIP Access at Fidelity

Post by lws »

OP,
Keep using it.
It does the job.
Northern Flicker
Posts: 14595
Joined: Fri Apr 10, 2015 12:29 am

Re: Using Symantec VIP Access at Fidelity

Post by Northern Flicker »

dcabler wrote: Fri Nov 24, 2023 6:25 am
chance wrote: Wed Nov 22, 2023 7:29 pm Another option I haven't seen mentioned is that Fidelity also supports 2FA through its mobile app. When logging in online Fidelity pushes a notification to my app and I have to use a fingerprint and confirm that it's me accessing the account. I have this set as default for 2FA. My gripe with Fidelity is that I'd like to be able to use a OTP authenticator as a backup when the app push notification doesn't work (rarely occurs but does happen). Currently, to have a backup I have to use text based OTP which is not ideal.
Yeah, I've noticed that as well. What happens is that I switch to SMS for 2FA and, sure enough, about 5 minutes after I log in, I get the notification from the app on my phone for app based 2FA.

Cheers.
So the app notification is activated after you login using some other authentication method so that subsequent logins use the app push notification.
Northern Flicker
Posts: 14595
Joined: Fri Apr 10, 2015 12:29 am

Re: Using Symantec VIP Access at Fidelity

Post by Northern Flicker »

lws wrote: Fri Nov 24, 2023 2:40 pm OP,
Keep using it.
It does the job.
It is a good method to use.
dcabler
Posts: 4049
Joined: Wed Feb 19, 2014 10:30 am

Re: Using Symantec VIP Access at Fidelity

Post by dcabler »

Northern Flicker wrote: Fri Nov 24, 2023 4:42 pm
dcabler wrote: Fri Nov 24, 2023 6:25 am
chance wrote: Wed Nov 22, 2023 7:29 pm Another option I haven't seen mentioned is that Fidelity also supports 2FA through its mobile app. When logging in online Fidelity pushes a notification to my app and I have to use a fingerprint and confirm that it's me accessing the account. I have this set as default for 2FA. My gripe with Fidelity is that I'd like to be able to use a OTP authenticator as a backup when the app push notification doesn't work (rarely occurs but does happen). Currently, to have a backup I have to use text based OTP which is not ideal.
Yeah, I've noticed that as well. What happens is that I switch to SMS for 2FA and, sure enough, about 5 minutes after I log in, I get the notification from the app on my phone for app based 2FA.

Cheers.
So the app notification is activated after you login using some other authentication method so that subsequent logins use the app push notification.
That doesn't make sense to me.

99% of the time I tell it to use the app push method and it goes through as planned in a few seconds. Other times I wait a few minutes and after not having received the app notification, I then try the "try a different method box" which is just SMS. It goes through, then a few minutes after that I get the app notification. My assumption has been that it was simply a long delay due to whatever...

Cheers.
Northern Flicker
Posts: 14595
Joined: Fri Apr 10, 2015 12:29 am

Re: Using Symantec VIP Access at Fidelity

Post by Northern Flicker »

You have to log in successfully by some method other than the app push to establish the app push. The app push does not protect that other method, which still would be available to attackers, and needs to be locked down by some method as well.
Post Reply