Skip to content

Instantly share code, notes, and snippets.

@natecj
Last active October 9, 2024 15:09
Show Gist options
  • Save natecj/db5d62ced567a43520e2d013509e049e to your computer and use it in GitHub Desktop.
Save natecj/db5d62ced567a43520e2d013509e049e to your computer and use it in GitHub Desktop.

How to use 1Password and 2FA with eTrade

IMPORTANT!
As of May 17, 2020, python-vipaccess stopped working for provisioning new Symantec VIP Access tokens (which was its raison d'être).
As of May 27, 2020, it's working again.
It might stop working again. and we might not be able to get it to work again (see #39)

Note: Your password cannot be more than 26 characters for you to use 2FA in general. eTrade makes you enter your 2FA code appened to your password to login and limits the length of password input to 32 characters, thus further restricting the maximum length of your actual password.


1. Install PIP

pip is already installed if you are using Python 2 >=2.7.9 or Python 3 >=3.4 downloaded from python.org or if you are working in a Virtual Environment created by virtualenv or pyvenv

Source: https://pip.pypa.io/en/stable/installing/

2. Install python-vipaccess

# Install latest release from PyPI
$ pip3 install python-vipaccess

# Install latest development version from GitHub
$ pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip

Source: https://github.com/dlenski/python-vipaccess

3. Generate a credential

Run the following command:

vipaccess provision -p -t VSMT

The output will look something like this:

Generating request...
Fetching provisioning response...
Getting token from response...
Decrypting token...
Checking token...
Credential created successfully:
    otpauth://totp/VIP%20Access:VSMT71412959?secret=WR7UYWEG34C7IMIP6CZ7PXWORITEUBGN&digits=6&algorithm=SHA1&issuer=Symantec&period=30
This credential expires on this date: 2023-09-16T15:22:12.213Z

You will need the ID to register this credential: VSMT71412959

You can use oathtool to generate the same OTP codes
as would be produced by the official VIP Access apps:

    oathtool    -b --totp WR7UYWEG34C7IMIP6CZ7PXWORITEUBGN  # output one code
    oathtool -v -b --totp WR7UYWEG34C7IMIP6CZ7PXWORITEUBGN  # ... with extra information

4. Add credential to 1Password

Find your eTrade entry in 1Password and edit it. Under an existing or new section, create a text field for Credential ID with the value

VSMT71412959

and a one-time-password field with the value

otpauth://totp/VIP%20Access:VSMT71412959?secret=WR7UYWEG34C7IMIP6CZ7PXWORITEUBGN&digits=6&algorithm=SHA1&issuer=Symantec&period=30**

Your entry should look similar to the following before saving: 1password-example

If you are using a different authenticator tool/app, you can also generate a QR code to scan using qrencode:

brew install qrencode
qrencode -t UTF8 'otpauth://totp/VIP%20Access:VSMT71412959?secret=WR7UYWEG34C7IMIP6CZ7PXWORITEUBGN&digits=6&algorithm=SHA1&issuer=Symantec&period=30'

5. Register credential with eTrade

You can use the direct link https://us.etrade.com/e/t/accounts/mfaactivatetoken?FirstTime=YES&tokenkind=mobile or follow the steps below:

  1. Login to eTrade
  2. Click on the little profile icon in the top-right
  3. Click on "Security Settings"
  4. Click on "Manage two-factor authentication"
  5. Click on "Add authenticator"
  • Enter your Credential ID
  • Copy the TOTP code from 1Password
  • Provide a description such as "1Password" so you can differentiate this credential from others you might have.

6. Verify that it works

In an incognito window (or other browser, device), attempt to login to eTrade. Remember that you need to enter your password and append the current TOTP code. If everything works then you are done! Potential problems include an expired code, leaving out any of the query params in the OTP uri, and your password being more than 26 characters.

7. Optionally, register a backup device

If you are using 1Password synced to the cloud in some manner, then a backup device isn't as important since you ideally can always regain access to your vault in an emergency. If you are using 1Password standalone (no syncing) or you use some other password manager that does not have backup access of its own, then registering another device might be good to maintain access to your account if you lose the primary credentials. A backup device could be another credential generated through this process, or gasp use the Symantec app like they expect.

@luisincrespo
Copy link

This worked for me! Thanks for sharing!

@jasonajack
Copy link

This is awesome! Thanks for sharing this.

@tonycowan
Copy link

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment