Generate OTP token with next sign-in

Hello Jae ,

Thank you for reaching out to the community, You can either select for specific users or groups or for All.

Generate OTP token with next sign-in

You can do one of the following:

• On: Users must use an authenticator application for generating passcodes.

  They must sign in to the user portal and scan the QR code using the authenticator app. The QR code only appears for the users and groups you've specified. See OTP token.

• Off: Users must use the hardware token your organization has implemented.

  Under Issued tokens, manually configure a token for each user.

Additionally, you may also refer a recommended read -  Sophos Firewall: How to configure Multi-factor authentication and understanding the OTP timestep settings

This doesn't explain what happens to all my users that already use the Microsoft Authenticator to connect using the Sophos SSL VPN client if I turn this on.  I am unable to add new users because this setting is off.  What happens to all of my current users if I turn this on?  Do they all need to get new tokens or can they continue to use the old ones?

If the user is on firewall and has min. 1 OTP hash assigned, nothing will happen

This will not impact the existing users who has a hardware/software token already generated. 

Perfect, thank you!  I have users all over the globe and this would be a mess if they all needed new tokens.  OK, I will turn it on and see what happens.  Thanks.

Thank you!  I will give it a try.

You can also test it with a test user created on the firewall (without OTP). Give the user a hash in the settings (maybe your own for testing). When possible (maybe some late night, no one is login to the firewall for some minutes) activate the button and test -> you should able to login with OTP you assigned without need to create a new one like any other existing user who already has a hash assigned.

You can also test it with a test user created on the firewall (without OTP). Give the user a hash in the settings (maybe your own for testing). When possible (maybe some late night, no one is login to the firewall for some minutes) activate the button and test -> you should able to login with OTP you assigned without need to create a new one like any other existing user who already has a hash assigned.

Yes, I wanted to test it but I thought as soon as I turned it on it would require all the users to get new tokens and turning it back off would not reverse this and I would be screwed.  We are also 24/7 shop so there is no time when no one is on and working.

Even with 24/7: As long no user is using the user portal/vpn it has no impact, by the way this setting is reversible.

Good to know it is reversable.  We don't use the user portal just the Sophos SSL VPN client that uses the same token to connect remotely.