Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XGS MFA OTP scan QR Code Loop

Hello,

we use a XGS 2300 SFOS 19.5.3 MR-3-Build652 and I activated MFA for my account. When I login I can scan the QR code and I can see that a token is generated but everytime I log in it says that the QR code is unused and I should scan it again. Its a loop and Im not able the get to the user portal with my personal account.

As soon as I deactivate MFA with the admin account I have no problem. I tried Sophos, Google and Microsoft Authenticator Apps on Android 14.

I've seen the UTM9 threads with the loop ahd algorithm problem but I think I cant change the SHA settings in XGS or can I?



This thread was automatically locked due to age.
Parents Reply
  • Ok, sorry I havent noticed that the passcode should follow the password.

    Is there any information on how this works? It seems very unsecure because a mechanism must seperate the password and the passcode right?

Children
  • Hi  Thanks for the update and I am glad the shared document steps helped you to fix the error. The passcode generated is based on TOTP Password Algorithm.

    Can you please elaborate more on why it falls under an unsecured mechanism because of no separation of the password and the passcode? So that can help me to get more clarity on it and based on that, I can get back to you with the next update/research on it.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • I can try:
    I thought that the password I type into the login gets encrypted and then checked/matched against the password in the db. With the passcode included the encrypted message differs from the encrypted password in the db so there needs to be some extra seperation step to know what is the password and to know what is the 6 digit passcode.

    With an extra textfield for the 6 digit passcode the password and the passcode would get encrypted independet from each other and checked against the db an the authenticator app seperatly. Merging this together seems like a bad move.

  • Thanks for sharing the above information, Do you have any reference guidelines or documents where you came across and got the above details that suggest that combining password and passcode is not the best practice and should be avoided or to get dept info for the loopholes in this kind of combined integration? The intention is before I represent or raise internally I wanted to understand this fully.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.