PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
This article provides the steps needed to configure One-time Password.
Applies to the following Sophos product(s) and version(s) Sophos UTM v9.2
A one-time password (OTP) - also called two-factor or multi-factor authentication - is a password that is valid for only one login session or transaction and includes a static component (your primary password) as well as a time-dependent or temporary (one-time use) pass-code. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that in contrast to a single static passwords, they are not vulnerable to replay attacks. This means that a potential intruder who manages to obtain a OTP that was already used to log into a service or to conduct a transaction, will not be able to re-use (or abuse) that OTP.
Log in to WebAdmin and go to Definitions & Users | Authentication Services | One-time Password.
To manually add an OTP token for a new user, click on the green plus ('+') button in the 'OTP Tokens' section. When the 'Add OTP Token' dialog box appears, click on the green plus ('+') to create a new user, or the green folder icon to add an existing UTM user to manually create a token. Next, type in a Secret for this user – this will come from the hardware token (e.g. YubiKey in TOTP/OATH mode) for that user, or you can use an online generator (e.g. Password Generator - Letters to Use=Hex, Length=64).
Under the 'Advanced' section, you can change the token timestamp for a user if it needs to be different from the default of 30 seconds. You can also hide the token information in the User Portal (this might be helpful if you don't want users to know the Secret - for example if you are using hardware token). If you allow token information in the portal, a QR code will appear with which the user can generate their token. You can also allow the token to be used for shell access.
Finally, Click ‘Save’ to add the user. You can also add more than one token to a user (if you are using hardware as well as software tokens, for example).
You also can add up to 10 additional codes with which the user can use if they lost access to their authentication tool and need to login immediately. The user would contact the UTM administrator and ask for one of the additional codes. You can add these codes by clicking on edit for an existing user. At the bottom of the 'advanced' section, there is a field called 'additional codes'; when clicking on the '+' button, the UTM automatically creates 10 codes with 6 digits each.
The Sophos OTP implementation is a tOTP (time-based OTP) therefore you can only use authenticators or hardware tokens which are designed for tOTP. The recommended authenticator program for smart-phones and tablets are 'Sophos Authenticator' or ‘Google Authenticator’. Type in your secret key in the app or scan the QR code you’ll find by logging into the User Portal – as shown in the screenshot below.
Important: When using Google Authenticator for Android devices, the only supported timestep is 30 sec.
Sophos Authenticator via Playstore
Sophos Authenticator via Itunes
With the key stored in the Sophos Authenticator App, a personal token will be automatically generated which will be valid for the configured timestamp (usually 30 seconds with).
Important: Typing in an incorrect passcode will cause the generated token to become invalid until the next timestep is reached - OTP passwords are only valid once per timestep.
When entering the password, you'll need to append the onetime pass-code after your normal password.
With OTP it will be: <password><onetime pass-code> (e.g. password128363)
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.