This article details how to configure the Sophos Firewall to add an extra layer of authentication by enabling multi-factor authentication using Token2 hardware tokens.
Applies to the following Sophos products and versions
Most Sophos product versions support two methods of creating OTP tokens:
- Automatic – ‘Auto-create OTP tokens for users' option enabled. The token is created upon initial login. This method can be used to provision with programmable tokens and the procedure is similar to this (starting from scanning the QR part).
- Manual - 'Auto-create OTP tokens for users' option disabled. This method should be used when provisioning classic hardware tokens. See the guide below for Deploying OTP tokens manually.
Enabling hardware tokens
- Go to Configure > Authentication > One-Time Password then press the Settings button.
- Enable One-Time Password
- Add manual OTP token for users by going to Authentication > One-Time Password and clicking Add
- Add secret and select the username to assign this token to. Please note that the secret should be added in Hex format. You can request the secrets of your hardware tokens here.
These steps should be enough to have the OTP for this user enabled. Kindly note that the default time step setting of Sophos is 30 seconds, which matches the time step of our classic hardware tokens and therefore does not need to be modified.
Advanced settings: Emergency Account Access
You can add up to 10 additional codes the user can use if they lose access to their hardware token and need to login immediately. The user would contact the administrator and ask for one of the additional codes or these codes can be sent to the user in advance. You can add these codes by clicking on edit for an existing user. At the bottom of the advanced section, there is a field called additional codes. Click on the + button and automatically create ten codes with six digits each.