Symantec VIP two factor auth

I just set up Symantec VIP two-factor authentication for my bank account, to replace an old VeriSign hardware token. Symantec VIP is a mobile phone app, they also sell a hardware token.

The basic security model is similar to the VeriSign token or TOTP as implemented by Google Authenticator. I type my password to log in, then am prompted to type a six digit second code from the Symantec VIP app. The code generated is valid for 30 seconds. I’m not positive it’s time-based; every time I generate a new token, it shows being valid for a full 30 seconds.

The Symantec VIP app has a very simple model of user identity. The first time I ran the app on my phone it assigned me a “Credential ID”. I then supply that to every single site that I want to use it for 2FA. That’s different from the Google Authenticator model where you scan a QR code to set up a new site. Not sure how Symantec supports having multiple identities or changing your ID. There is an option to scan a QR code, so maybe there’s a second identity model.

There’s no backup of the token; if I lose the phone or something I have to go back to my bank to set up access again, out of band.

Another slight weirdness; my bank says it will take 48 hours to enable the token. No explanation why it’d take that long. In the meantime they gave me a temporary 6 digit code that will work many times as my 2FA code. That’s not ideal but probably harmless, at least in this application.

Symantec VIP is more complex than I’ve seen. There’s a whole VIP Manager product for enterprise management, maybe that provides more flexibility and control for advanced users.

As an end user I prefer Google Authenticator, mostly because I’ve got it set up for several sites already. But Symantec VIP seems OK too. No idea how their backend integration tools compare. TOTP sounds awfully simple to deploy.

Update: one problem with the basic Symantec VIP model; my bank is relying on Symantec to keep the secret safe. They didn’t generate a new secret for me to share with them, they’re using whatever is baked into my default Symantec ID. That may be appropriate for many businesses that want to outsource security, but it’s a form of risk.