Skip to content

Multi-factor authentication (MFA) settings

You can implement multi-factor authentication using hardware or software tokens.

One-time password (OTP)

The default setting is No OTP and doesn't require MFA from users. To implement MFA, select one of the following options:

  • All users
  • Specific users and groups. Click Add users and groups, select the users and groups, and click Apply selected items.


To turn on MFA for the default admin, go to Administration > Device access. Scroll down, turn on MFA for default admin, and click Apply.

Generate OTP token with next sign-in

You can do one of the following:

  • On: Users must use an authenticator application for generating passcodes.

    They must sign in to the user portal and scan the QR code using the authenticator app. The QR code only appears for the users and groups you've specified. See OTP token.

  • Off: Users must use the hardware token your organization has implemented.

    Under Issued tokens, manually configure a token for each user.

Services requiring MFA

When Generate OTP token with next sign-in is turned on, User portal is automatically selected, allowing users to scan the QR code.

Under Require MFA for, select from the following services:

  • User portal: Users and administrators can scan the QR code on the user portal.
  • Web admin console: Administrators can also scan the QR code on the web admin console.
  • SSL VPN remote access
  • IPsec remote access


To establish remote access VPN connections, users must first scan the QR code on the user portal.


Currently, the Sophos Connect client for remote access VPN doesn't support OTP challenge. It sends the password and OTP details in passwordotp format to the authentication server. So, when the authentication server sends an OTP challenge to users, it doesn't receive the OTP alone, and authentication doesn't take place.

The Sophos Connect client supports Call and Push-based MFA. The user portal and web admin console support these and challenge-based MFA.

OTP timestep settings

(Optional) Click OTP timestep settings, then configure the following settings:

Setting Description
Default token timestep

Interval at which the authenticator app or hardware token generates new passcodes.

You must enter the interval used by the app or hardware token.

Default: 30 seconds

Maximum verification code offset

The number of timesteps a passcode remains valid for.

For example, for an offset value of 2 and a 30-second timestep, users can enter any unused passcode from the previous 60 seconds.

Default: 2

Maximum initial verification code offset

The number of timesteps the first passcode remains valid for after users scan the QR code.

For example, for an initial offset value of 10 and a 30-second timestep, the first passcode generated remains valid for 300 seconds if it isn't already used.

Default: 10