A Yubikey 5 NFC turns out to be perfectly compatible with any website using Symantec’s (no longer available) hardware key and VIP Access (definitely a misnomer) app to generate TOTP access codes, because the sites use bog-standard TOTP. The only difficulty comes from Symantec’s proprietary protocol creating the token linking an ID with a secret value to generate the TOTP codes, which is how they monetize an open standard.
Fortunately, Cyrozap reverse-engineered the Symantec protocol, dlenski mechanized it with a Python script, and it works perfectly:
python3 -m venv symkey-env source symkey-env/bin/activate pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip vipaccess provision -t SYMC deactivate
That spits out a file containing the ID and secret, from which you create a QR code for the Yubikey Authenticator app:
qrencode -t UTF8 'otpauth://totp/VIP%20Access:SYMCidnumbers?secret=longsecretgibberish&issuer=Symantec&algorithm=SHA1&digits=6'
Fire up the app, wave the Yubikey behind the phone, scan the QR code, wave the Yubikey again to store it, sign in to the Schwab site, turn on 2FA, enter the ID & current TOTP value from the Yubikey Authenticator, and It Just Works™.
Of course, you can kiss Schwab’s tech support goodbye, because you’re on your own. If you ever lose the Yubikey, make sure you know the answers to your allegedly secret questions.
Equally of course, you’re downloading and running random shit from the Intertubes, but …
Now, if only all my financial institutions would get with the program.