March 3, 2018
It is becoming common knowledge that you should use two-factor authentication whenever possible. Some services allow the use of TOTP apps on your smartphone, some only want so send you SMS codes .. and others use proprietary tokens.
I had activated SMS codes with PayPal for a while now but I always had the urge to centralize all my 2FA codes in my FreeOTP app. Sites like GitHub, Backblaze and Dropbox all easily support this. However, PayPal always appeared to only support SMS codes. Then I stumbled upon this blog post saying otherwise. I’ll summarize the necessary steps below.
Apparently the VIP Access tokens are based on the open TOTP standard, which is supported by most authenticator apps. Based on this reverse-engineering effort, @cyrozap and @dlenski built a handy little python script which allows us to provision new tokens: https://github.com/dlenski/python-vipaccess
Installing it directly via
pip failed for me but installing the dependencies
seperately and then installing the script from a cloned repository worked fine:
$ cd $(mktemp -d) $ sudo pip install lxml oath pycryptodome requests $ git clone https://github.com/dlenski/python-vipaccess . $ sudo pip install .
Note: Make sure to use Python 3’s
pip3 in some distributions.
Provision a new token #
This should have installed the
vipaccess command on your system. Now run
vipaccess provision -p -t VSMT to provision a new ‘mobile token’. If you get an
Something went wrong--the token is invalid. error, check your installation of
Otherwise you should see output like this:
$ vipaccess provision -p -t VSMT Generating request... Fetching provisioning response... Getting token from response... Decrypting token... Checking token... Credential created successfully: otpauth://totp/VIP%20Access:VSMT89594652?secret=GAHXEUAHO6KE63TUJGVHS53VVKHACPVN&digits=6&period=30&algorithm=sha1&issuer=Symantec This credential expires on this date: 2021-03-02T14:46:00.744Z You will need the ID to register this credential: VSMT89594652 You can use oathtool to generate the same OTP codes as would be produced by the official VIP Access apps: oathtool -d6 -b --totp GAHXEUAHO6KE63TUJGVHS53VVKHACPVN # 6-digit code oathtool -d6 -b --totp -v GAHXEUAHO6KE63TUJGVHS53VVKHACPVN # ... with extra information
(This is a new and unused token.)
Save in your 2FA app #
This step depends on what kind of application you use. You don’t necessarily have to
use a smartphone app of course. Usually, you’ll want to display a QR code to scan with
your app, though. I use
qrencode for this.
To modify the title of your entry, you can edit the string starting with
you could use
The string needs to be urlencoded though, so e.g. use
%20 instead of spaces. Then
display a QR code in your terminal with
qrencode and scan it with your app:
$ qrencode -t UTF8 'otpauth://totp/PayPal:VSMT89594652?secret=GAHXEUAHO6KE63TUJGVHS53VVKHACPVN&digits=6&period=30&algorithm=sha1&issuer=Symantec'
Note that using an online tool to create this QR code might not be the wisest idea. Please don’t use this example either.
Set up security key #
To set up this token as a new security key in PayPal, log in and navigate to https://www.paypal.com/webscr?cmd=_setup-security-key. You’ll be given two options. Select the ‘Security Key’ option.
In order to activate your token you are asked for a serial number and two 6-digit codes.
The serial number is the
VSMT... string from your provisioning:
VSMT89594652 in the example
above. And the 6-digit codes are two consecutive codes generated by your authenticator app.
Depending on your application you might need to tap the PayPal entry you just created and enter the code you see for the first 6-digit code. Then simply wait a few seconds until the next code appears or tap again after a few seconds to display the immediate next code and enter that in the last field.
Activate on the bottom of the page and ta-da!
As a last step you can now remove or deactivate your SMS security key and simply use your 2FA app from now on. If you also use a strong password your security questions are probably your weakest link after this …