Device Configuration : Configure : Authentication : One-time Password Settings
One-time Password Settings
This page allows you to enable and configure the one-time password service.
1. Go to Device Configuration > Configure > Authentication > One-time Password and click the Settings button.
2. Activate the one-time password service by clicking on the One-time Password ON/OFF switch.
3. Specify the OTP service status.
OTP for all users
If enabled, all users have to use one-time passwords. If only specific users should use one-time passwords, disable this option and select Add New Item and add users or groups from the list.
Auto-Create OTP Tokens for users
If enabled, a QR code for configuring the mobile device software will be presented to the authorized users the next time they log in to the User Portal. For this to work, make sure that the users have access to the User Portal. When a user logs in to the User Portal, the respective token will appear in the OTP Tokens list. Enabling this feature is recommended when you are using soft tokens on mobile devices. If your users only use hardware tokens you should instead disable this option and add the tokens before enabling the OTP feature.
Enable OTP for facilities
Here, you select the Sophos XG Firewall device facilities that should be accessed with one-time passwords by the selected users. When you select the Auto-create OTP tokens for users option, the User Portal needs to be enabled for security reasons: As the User Portal gives access to the OTP tokens, it should have no weaker protection itself.
* When selecting WebAdmin you have to ensure that the selected users have access to the one-time password tokens. Otherwise you may log them out permanently.
4. Specify the timestep settings.
Default token timestep in seconds
To synchronize one-time password generation on the mobile device and on the CFM, the timestep has to be identical on both sides. Some hardware tokens use 60 seconds. Other software OTP tokens use a timestep of 30 seconds which is the default value here. If the timestep does not match, authentication fails.
Acceptable Range: 10 - 300 seconds
Default: 30 seconds
Maximum passcode offset steps
With help of this option you can set the maximum passcode offset steps. This means for example you set 3 steps you restrict the clock of a token to drift no more than 3 timesteps between two logins.
Acceptable range: 0 - 10 steps
Default: 1 step
Maximum initial passcode offset steps
With help of this option you can set the maximum initial passcode offset steps. This means for example you set 10 steps you restrict the clock of a token to drift no more than 10 timesteps between two logins. This option is only applied when the user employs the token for the very first time.
Acceptable range: 0 - 600 steps
Default range: 10 steps
5. Click Apply.
6. Select Sophos XG Firewall device(s) on which you want to apply this configuration and click Save.
 
The one-time password settings will be saved and immediately applicable.