Skip to content

Multi-factor authentication (MFA)

You can implement multi-factor authentication using hardware or software tokens. You must link software tokens to an authenticator application, such as any third-party authenticator on a mobile device or tablet. When users log on, they must provide a password and a passcode.


Sophos Authenticator is reaching the End of Life (EOL) on July 31, 2022. Users setting up multi-factor authentication for the first time can no longer download Sophos Authenticator. They must use another authenticator application, such as the authenticator feature of Sophos Intercept X, Google Authenticator, or any other third-party application. Users already using Sophos Authenticator can continue using it. However, we recommend these users migrate to another authenticator application. See Migrate to another authenticator application.

You can turn on MFA for all users or just specific users. To turn on MFA for the default admin account, go to Administration > Device access.

Multi-factor authentication (MFA) settings

To configure MFA for users other than the default admin account, do as follows:

  1. Under One-time password (OTP), select if you want to turn on MFA for All users or Specific users and groups.

    1. If you're only configuring MFA for specific users and groups, click Add users and groups, select the users and groups you want to add, and click Apply.
  2. Turn on Generate OTP token with next sign-in. When you turn this on, users are asked to set up an authentication app on their mobile device and scan the generated QR code the next time they sign in to the user portal. Administrators are also asked to do this the next time they sign in to the web admin console.


    If you don't turn on Generate OTP token with next sign-in, you must configure a hardware token for each user under Issued tokens.

  3. Select the services for which you want to turn on MFA. You can select the following services:

    1. User portal
    2. Web admin console
    3. SSL VPN remote access
    4. IPsec remote access


    User portal is automatically selected when Generate OTP token with next sign-in is turned on.

  4. Click OTP timestep settings to customize the timestep settings. You can configure the following settings:

Setting Desription
Default token timestep The interval in seconds at which new OTP codes are generated. Default: 30.
Maximum verification code offset The maximum number of timesteps a code remains valid. Default: 2.
Maximum initial verification code offset The maximum offset in which the initially generated code can be used. Default: 10.

Issued tokens

To manually configure hardware tokens, do as follows:

  1. Click Add token (for hardware tokens).
  2. Enter the following information:

    Information Description
    Secret Enter a secret for the token. The following restrictions apply:
    • Only hexadecimal characters.
    • Even character count.
    • Minimum of 32 characters.
    • Maximum of 120 characters.
    User Select the user of the token.
    Desription Enter a description of the token.
    Use custom timestep Turn on to configure a custom timestep.
    Timestep Enter the timestep that matches the hardware token settings.
  3. Click Save.

Issued tokens status and actions

You can do the following for each token:

  • You can see the username and name of the user to whom you've issued the token.
  • Turn the status on or off to temporarily prevent the user from signing in.


    If a user loses their mobile device, they must sign in to the user portal using the new device and scan the QR code again. See OTP token.

    If a user loses a hardware token, you must delete the issued token and issue a new token for the user.

  • To synchronize the firewall with the authenticator app or hardware token's timestep, click Synchronize token time offset Synchronize clocks. You must use this if you change the timestep value.

  • You can edit and delete the tokens.

Issued tokens details.

More resources