OTP service settings
One-time password: Turn on the one-time password service.
OTP for all users: Require all users to use one-time passwords. If you want only specific users to use one-time passwords, turn this setting off and select users.
Auto-create OTP tokens for users: Automatically create OTP tokens for users. Tokens are deployed as a QR code in the user portal. Users scan the code with Sophos Authenticator, which then generates passcodes. If you do not enable this setting, you must provide OTP tokens manually.
Enable OTP for facilities: Firewall features that require two-factor authentication.
User portal must be selected when auto-create is enabled.
When WebAdmin is selected, you must ensure that users have access to one-time password tokens. If they do not, you risk logging them out permanently.
Default token timestep in seconds: Interval, in seconds, with which passcode generation occurs on the one-time password service. This value must be the same as that specified by Sophos Authenticator. The one-time password service and Sophos Authenticator have a default value of 30 seconds.
Maximum passcode offset steps: Maximum number of timesteps by which the clock of a token can drift between client and server. For example, if you specify a value of 3 and the timestep is 30 seconds, the client can use any passcode from the previous 90 seconds or the subsequent 90 seconds as long as the code was not already used.
Maximum initial passcode offset steps: Maximum number of timesteps by which the clock of a token can drift between client and server for the first sign-in only.