Configure MFA with an authenticator app
To implement Multi-Factor Authentication (MFA) with an authenticator application, configure the MFA settings in the firewall.
See the following example settings:
Configure MFA settings in the firewall
If you haven't already configured the MFA settings, do as follows:
- Go to Authentication > Multi-factor authentication.
- For One-time password, select Specific users and groups.
-
Click Add new users and groups, select the users and groups, and click Apply selected items.
-
Turn on Generate OTP token with next sign-in.
A QR code becomes available on the VPN portal.
-
Select the services that require MFA.
This example selects web admin console and SSL VPN remote access. User portal is selected by default for users to scan the QR code.
-
For OTP timestep settings, enter the timestep (time period) value the authenticator app requires.
-
Click Apply.
Users generate passcodes
Sophos Firewall uses Time-based OTPs (TOTP).
Users must first sign in to the VPN or user portal to scan the QR code using their authenticator app. The app will generate the passcodes, that is, OTPs.
Administrators can sign in to the web admin console or the user portal if you enforce MFA for the web admin console sign-ins.
To sign in to the services requiring MFA, users must enter the password in <password><passcode>
format. See OTP token.