Just curious... it seems like this reverse-engineered protocol registers a "new token device ID" by contacting Symantec's VIP access server, and that their server then replies with an expiration date of how long that device registration will be valid?

Or what is the expiration date for? Will the device token/serial number become invalid after that date? And I will need to generate a new device token before that date and switch my authenticator (website) setting to the new one before that date? I use it for PayPal, if that matters.

PS: Thank you so much for maintaining this library. This is awesome! :)

I actually have no idea what the expiration date actually does. By the very nature of the protocol, a TOTP token will be capable of continuing to generate valid self-synchronizing codes forever.

• python-vipaccess shows the expiration dates simply because the Symantec VIP service exports them, and they seem significant.
• I presume that if you register a Symantec VIP token with a service like PayPal, the service will start refusing to accept codes from the token around the expiration date. Perhaps it will ask you to register a new token if it expires.
• I presume that if you use a Symantec VIP token with the official Symantec VIP apps, the apps will refuse to generate codes after the expiration date.

Beyond that, I have no insight.

Thanks @dlenski, I believe you are 100% correct. This would be in line with other "digital identification systems" I've seen in the past.

TOTP itself has no time limit, as you say. But I realize that Symantec VIP is an extended ecosystem built on top of that, and it clearly has some use for its "expiry" date. Many such "digital ID" systems use expiration dates to prevent tokens from being alive forever.

So I believe what happens on that date is something like what you said: Their server probably unregisters/deactivates the token serial number on that date, and their apps (if we had been using those) would refuse to generate new authentications with that token, and connected services (possibly optionally), such as PayPal, can probably check the expiration date and refuse use of that token after that date.

Seems like the mystery is solved. Just to be safe I'll just generate and switch token in 3 years at the expiration date. But letting a token expire at PayPal is probably no danger at all, since they wouldn't be silly enough to let expired token devices lock someone out completely. If they do indeed expire at PayPal, then I assume they just disassociate the access token from the account and remove the 2factor.

If you want to, we can keep this open to see if someone else comes up with a definitive answer. But personally I am satisfied with the very-likely algorithm/scenario we've talked about here. :-)

This is a long shot, because I don't know how much of it applies to Symantec's setup and how much that doesn't, but here goes:

In Norway (and probably also in Sweden), people log into banks and public services with the BankID system, and the most common way to log in with BankID is to use a small stick that is virtually identical in shape, code length, and serial number format to what PayPal calls a 'security key token'.

Earlier today I received an SMS from BankID (the company behind it) that my BankID certificate had been renewed (which occurs every ca. 2 years), and that I had to login to something with the key token stick within 60 days to keep the key token active (which I promptly did).

If Symantec uses the same underlying system for their key token system, they could be using a similar grace period when renewing their users' certificates, but oddly enough I can't find any Google results that confirms the existence of such a grace period...

If Symantec uses the same underlying system for their key token system, they could be using a similar grace period when renewing their users' certificates…

@DandelionSprout, it's a good analogy.

There is no technical meaning of the "expiration date" for any system I'm aware of.

Not for RSA SecurID token, nor for [TH]OTP-based tokens like Symantec VIP. I have an expired RSA SecurID dongle which continues to display valid codes — the system it's associated with no longer accepts them, but its battery hasn't run out.

The "expiration date" of a token is simply a date when <some system that uses them> is programmed to stop accepting codes from that token. Likely in order to force the user to get re-approved or re-authorized, as in your example.