TOTP for PayPal in 1Password - Success

So, apparently I've been a lurker since about 2009 so I think it's finally time for me to contribute something.

Over the past month or so I've managed to round-up most (if not all) of my online accounts and enable any two-factor authentication (2FA) that I could and change most of my passwords to be completely random. I've used 1Password to catalogue them all and inform me of weak and repeating ones etc. Long story, short...I've enhanced my digital life security.

When it comes to 2FA however, it infuriates me when companies seem to rely on proprietary methods for accomplishing this because it stops me from using 1Password to hold all my information. However, I seem to had some success with PayPal 2FA (provided by Symactec/VeriSign via VIP Access):

Link for the original blog post of Cyrozap's disassembly of their applications - it's quite old dated at 2014 but it's still a nice read.
Link to Cyrozap's associated GitHub project for an open implementation of PayPals 2FA.

I followed the pip installation instructions for his python-vipaccess as stated and went through PayPal's "security key" activation and used the VSST[Number] for the "serial number".

Worked an absolute treat! ;)


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«1

Comments

  • Drew_AGDrew_AG 1Password Alumni

    Thank you very much for taking the time to share how you added a one-time password for your PayPal account in 1Password! Hopefully PayPal will make this process a bit easier in the future, but for now, if someone really wants to, it sounds like they can follow the same procedure you did.

    Thanks again, and if you need anything else, please let us know! :)

  • I'm very curious how this works exactly. Installing the python package is easy, and I can run the resulting tool, and sure enough it generates a VSST[number], but how do I connect that to the Security Key being generated at PayPal? My only option on that side is to provide a phone number, and they send an SMS to it. So I don't know how you got from the vipaccess command to a usable 2FA token...

  • edited February 2017

    Sorry, the VIP Access method seems to be a bit obscured on the PayPal website for some reason. However this link seems to work (https://www.paypal.com/us/cgi-bin/?cmd=_setup-security-key), just click on Activate Security Key on the right.

    PayPal, for some reason, prefers you to use the mobile phone version of 2FA but you can use both at the same time.

    Then after all that, when you try to log in, just click on "Use my Security Key instead" and enter it as normal.

    Let me know if this helps! 8-)

  • Brilliant! Yes, this worked, thank you very much! :)

  • YaleYale
    edited February 2017

    It took a few attempts for PayPal to accept the VSSTx serial number being generated. Fourth time worked.

    Thanks for this, that's one less app I need on my phone!

  • You're both very welcome ;)

  • Does this mean 1Password can now generate the PayPal 2FA code instead of the Symantec VIP App?

    That would be great!

  • Yes it does. Give it a go and let us know how it went for you. :)

  • XIIIXIII
    edited February 2017

    Give it a go and let us know how it went for you

    Pretty well :) Thank you very much for sharing this!

    I had two minor issues to overcome to get it to work:

    • I had to use pip3 instead of pip to install the Python script and its dependencies on my Mac (running macOS Sierra, with SIP)
    • I had to search for the URL to add a security key to PayPal (since they still do not offer that in my country)

    Works now. Nice!

    One remark; I noticed this when generating my "key":

    BE AWARE that this new credential expires on this date: 2020-02-10

    Does this mean that you have to generate a new code every 3 years (and replace the corresponding "security key")?

  • Ah that's brilliant, I'm glad you've succeeded. :)

    Yes, I also saw that the credentials had an expiry date. All I've done is noted the date and time down in the notes section of my PayPal login so that if it does truly expire then I'll know and I can quickly generate a new one.

    I assume it's just a security feature.

  • brentybrenty

    Team Member

    @steven0451: Very cool! Thank you for sharing this! :chuffed:

    I'll add xcode-select --install (since I didn't have the developer tools installed on this machine) and sudo easy_install pip truly made the rest of the process...well, easy. Cheers! :)

  • BenBen AWS Team

    Team Member

    Wow! Thanks for sharing this! It would be so great if PayPal would make this easier to accomplish...

    Ben

  • For anyone finding this with google, the GitHub repo linked to above did not work for me, but this one did:

    https://github.com/dlenski/python-vipaccess

    I've had VIP Access card for years because 2FA via SMS is just a Bad Idea™. Unfortunately, the VIP Access cards don't not have replaceable batteries. My only choices were to buy a new card (for a services I don't use often), use SMS (which is susceptible when your mobile operator decides to reassign your SIM), or use the Symantech VIP Access app, which I just don't plain trust (what if I my phone is stolen or needs to be erased). 1Password is definitely where I want my tokens.

  • brentybrenty

    Team Member

    Thanks for chiming in! I agree: I keep everything sensitive that I can in 1Password. Typically we think of security, but availability matters too when a batter dies. Better safe than sorry.

  • I have been trying to get this to work. I have generated the token, but every time I try to register it at Paypal, I get the following error message: We're sorry. There's been an intermittent communication problem. Please try again later.

    I have tried on several different browsers, but no luck. Anyone have any ideas?

  • brentybrenty

    Team Member

    @cryptomanic: That's an odd error message. It doesn't sound like it's rejecting the code; rather, that sounds like a connection issue. Do you have "security" software which may be interfering? Also, having the date/time/zone off on any of your devices involved could cause them to generate invalid codes, or prevent the secure connection from being established. Try setting them manually.

    I'll be honest, I haven't disabled it again to try to test it with my own account. I was glad to get it working in the first place since this obviously isn't how PayPal intended things to work. "If it ain't broke then don't try to fix it" as they say. :blush:

  • Still can't get it working. I know that Paypal is trying to deprecate the use of the VIP tokens - I wonder if there has been a change at their end to prevent people from registering new ones? If anyone else can give this a shot and let me know if it works, it would be much appreciated.

  • brentybrenty

    Team Member

    Well, I was worried there for a minute, but I can still login at least. Have you tried a different device? I may hazard disabling it to try again, but it won't be until later this week at the earliest as I don't want to have to deal with their support while traveling if I get locked out. :crazy:

  • Yep - tried 2 different devices, several different browsers, different network connections - no joy.

  • Still can't get it working. I know that Paypal is trying to deprecate the use of the VIP tokens - I wonder if there has been a change at their end to prevent people from registering new ones?

    Well if that's the case then that'll be truely saddening. I love having quick, easy & secure access to my PayPal account without having to use SMS verification. Also, when I originally registered my "token", it came with an expiry date of late 2019...so I guess we'll find out for sure if they've turned the tokens off for good.

  • brentybrenty

    Team Member

    @steven0451: That is a bit disconcerting. I totally didn't pay attention to the expiry date when I did this, but I guess it would be roughly the same time frame as yours.

    @cryptomanic: Thanks for letting me know. This is going to drive me nuts, so I'll take this on within the next week or so and see if I get the same result, and/or can perhaps get a better sense of what the problem is — probably with an awkward call to PayPal support. lol

  • @brenty: Thanks - I look forward to hearing whether you are able to reproduce this problem.

  • That is a bit disconcerting. I totally didn't pay attention to the expiry date when I did this, but I guess it would be roughly the same time frame as yours.

    It would make sense from their perspective because these tokens were originally designed to be used with a separate physical device (with a battery), so the battery expires within a few years and the token would expire around the same time keeping their system more secure.

  • brentybrenty

    Team Member

    @steven0451: Totally. I just wish they'd adopt the TOTP standard so we don't have to resort to these sorts of hacks or SMS.

    @cryptomanic: I'm not having a problem re-enabling it on my account after removing. That means either there's something wrong on your end or PayPal preventing you from completing the process, or they've disabled this but my account is flagged somehow since it had already been setup this way previously. Sorry I don't have any better insight for you. :(

  • @brenty: Thanks for checking on this for me. I will have to try again to see if I can get things to work

  • BenBen AWS Team

    Team Member

    On behalf of Brenty you're most welcome. :)

    Ben

  • I gave this another go on a different computer, and got exactly the same result. For troubleshooting purposes, I guess I will have to wait and see if someone else who doesn't already have this enabled can enable this on Paypal.

  • Following up on this again. I tried setting up a "dummy"/new Paypal account, and was successful in implementing TOTP per this thread. But when I tried again on my existing account, I got the same error message. I can't figure out what the issue is here.

  • edited August 2017

    Finally figured out how to get it working. It turned out I had to deactivate all the prior tokens that were active (in my case, 2 very old hardware tokens/footballs, and the Verisign VIP app on my phone). Once I did this and logged out, I was able to activate the TOTP as described above. However, I ran into one small hiccup. When I use the clipboard autofill feature in 1P, it seems like the wrong 6 digit code is entered. If I manually cut and paste the code generated in the 1P entry, it works. Not sure why this is happening.

    EDIT: And now the clipboard autofill feature is working! I didn't do anything on my end, so I am not sure why it started working.

    Thanks to @steven0451 for starting this thread, and to everyone else who chipped in.

  • BenBen AWS Team

    Team Member

    Excellent. Thanks for the update, @cryptomanic. :)

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file