Configuring two-factor authentication

Two-factor authentication ensures that only users with trusted devices can log on. To provide two-factor authentication, you configure the OTP service. Then, end-users scan tokens and obtain passcodes using Sophos Authenticator.

Objectives

When you complete this unit, you’ll know how to do the following:
  • Turn on the OTP service and specify settings.
  • Scan tokens and obtain passcodes using Sophos Authenticator on the client.

Specify OTP service settings

First, you turn on the OTP service. Then, to maximize the protection this type of authentication offers, you require all users to use it. You also specify the features for which two-factor authentication is required.

The following steps are executed on the firewall.

  1. Go to Authentication > One-time password and click Settings.
  2. Specify the settings.
    OptionDescription
    One-time password On
    OTP for all users On
    Auto-create OTP tokens for users On
  3. Enable OTP for WebAdmin and User portal.
  4. Click Apply.

Obtain a token and passcodes

End-users scan the OTP token through the user portal using Sophos Authenticator. The authenticator then provides passcodes.

The following steps are executed by an end-user.

  1. Download Sophos Authenticator for Android or Sophos Authenticator for iOS on a mobile device.
  2. Log on through the user portal.
    The user portal displays the OTP token.
  3. Scan the OTP token using Sophos Authenticator.
    Sophos Authenticator begins creating passcodes.
  4. Go to user portal again and log on by typing the password using the following format: <user_password><generated_passcode>.