Skip to content
Last update: 2022-05-25

Multi-factor authentication (MFA)

You can implement two-factor authentication using hardware or software tokens. Software tokens must be linked to an authenticator app such as Sophos Authenticator or any third-party authenticator on a mobile device or tablet. When users log on, they must provide a password and a passcode.

You can turn on MFA for all users or just specific users. To turn on MFA for the default admin account, go to Administration > Device access.

Multi-factor authentication (MFA) settings

To configure MFA for users other than the default admin account, do as follows:

  1. Under One-time password (OTP), select if you want to turn on MFA for All users or Specific users and groups.

    1. If you're only configuring MFA for specific users and groups, click Add users and groups, select the users and groups you want to add, and click Apply.
  2. Turn on Generate OTP token with next sign-in. When you turn this on, users are asked to set up an authentication app on their mobile device and scan the generated QR code the next time they sign in to the user portal.


    If you don't turn on Generate OTP token with next sign-in, you must configure a hardware token for each user under Issued tokens.

  3. Select which services MFA is used for, these can be:

    1. User portal
    2. Web admin console
    3. SSL VPN remote access
    4. IPsec remote access


    User portal is automatically selected when Generate OTP token with next sign-in is turned on.

  4. Click OTP timestep settings to customize the timestep settings. The following settings can be configured:

Setting Description
Default token timestep The interval in seconds at which new OPT codes are generated. Default: 30.
Maximum verification code offset The maximum number of timesteps a code remains valid. Default: 2.
Maximum initial verification code offset The maximum offset in which the initially generated code can be used. Default: 10.

Issued tokens

To manually configure hardware tokens, do as follows:

  1. Click Add token (for hardware tokens).
  2. Enter the following information:

    Information Description
    Secret Enter a secret for the token. The following restrictions apply:
    • Only hexadecimal characters.
    • Even character count.
    • Minimum of 32 characters.
    • Maximum of 120 characters.
    User Select the user of the token.
    Description Enter a description of the token.
    Use custom timestep Turn on to configure a custom timestep.
    Timestep Enter the timestep that matches the hardware token settings.

    Click Save.

More resources

Back to top