Sophos SSL-VPN with MFA client password save


Recently I have rolled out SSL-VPN solutions for several clients, all of them are complaining about the inability to save their passwords and state that the Sophos client is very user-unfriendly. I agree in this and want a solution.

MFA is mandatory. A situation where username and passwords are saved and filled automatically is fine, clients can add the MFA code after this. But this does not work:

- Saving the password with MFA works, but makes the connection, obviously, fail on the second login.

- Saving without MFA deletes the credentials because the login failed.

We use the Sophos connect client, downloaded from the VPN-Portal with MFA. The Firewall uses version 19.01.

Looking forward to any solution or any posts that are on this topic.

Kind regards,


Edited TAGs
[edited by: Erick Jan at 11:30 PM (GMT -8) on 4 Dec 2022]
Parents Reply
  • Hi Niels,

    I think there is a misunderstanding here.   Talks about the first time connect when there are two separate logons, first to to the userportal and second to the vpn. The second fails with the first otp.

    You have a differnt problem, after entering username, password+OTP your clients select save username and password, but this is with OTP.

    So the password say "password123456" is saved and that will not work the next time they logon.

    You can solve this. The Sophos Connect client is able to show a separate OTP field, so there will be a username filed, password field, and a OTP field. saving user+passwd will work then.

    The problem here is, how to add the OTP field?

    When you use a provision file .pro it easy just add "otp": true,

    "display_name": "Name of VPN",
    "gateway": "ip or dns",
    "user_portal_port": 4443,
    "otp": true,
    "2fa": 0,
    "can_save_credentials": true,
    "check_remote_availability": false,
    "run_logon_script": false

    Edit the fields with your info and save as import (ore just double click) this in the client. Using this method has some other nice benefits to.

    With the config file from the userportal this not passible as far as i know.

    Maybe someone from staff knows?  



    Bart van der Horst

    Sophos XG v18(.5) / v19 Certified Architect