Deploying OTP tokens manually

In some cases, you may need to provide an OTP token to an end-user manually, even when the service is set to create tokens automatically. These cases include, for example, when a user doesn’t have access to Sophos Authenticator. To do this, you configure the OTP service and deploy a token manually. Then, the user obtains the token through the captive portal.


When you complete this unit, you’ll know how to do the following:
  • Turn on the OTP service and specify settings.
  • Add a token and provide it to the user through the user portal.

Specify OTP service settings

First, you turn on the OTP service. Then, to maximize the protection this type of authentication offers, you require all users to use it. You also specify the features for which two-factor authentication is required.

The following steps are executed on the firewall.

  1. Go to Authentication > One-time password and click Settings.
  2. Specify settings.
    One-time password On
    OTP for all users On
    Auto-create OTP tokens for users On
  3. Enable OTP for WebAdmin and User portal.
  4. Click Apply.

Add a token

Add a token. The end-user obtains the token through the captive portal.

  1. Go to Authentication > One-time password and click Add.
  2. Specify settings.
    Secret abcdefabcdefabcdefabcdefabcdefabcdef
    User jsmith
  3. Click Save.
    The QR code is available to the end-user in the captive portal. The user can scan the code with Sophos Authenticator and begin using passcodes to log on.
  4. Optional Locate the user and click .

    The firewall displays the token as a QR code and text key. You can send the text key to the user.