Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Multi-factor authentication (MFA) settings

You can implement multi-factor authentication using hardware or software tokens.

One-time password (OTP)

The default setting is No OTP and doesn't require MFA from users. To implement MFA, select one of the following options:

  • All users
  • Specific users and groups. Click Add users and groups, select the users and groups, and click Apply selected items.

Note

To turn on MFA for the default admin, go to Administration > Device access. Scroll down, turn on MFA for default admin, and click Apply.

Generate OTP token with next sign-in

You can do one of the following:

  • On: Users must use an authenticator application for generating passcodes.

    They must sign in to the VPN or user portal and scan the QR code using the authenticator app. The QR code only appears for the users and groups you've specified. See OTP token.

    Note

    If you use external authentication servers, such as Active Directory (AD), and remove these users from a group with MFA, they must sign in once with MFA. For subsequent sign-ins, they don't require an OTP.

  • Off: Users must use the hardware token your organization has implemented.

    Under Issued tokens, manually configure a token for each user.

Services requiring MFA

When Generate OTP token with next sign-in is turned on, User portal is automatically selected, allowing users to scan the QR code.

Under Require MFA for, select from the following services:

  • User portal: Users and administrators can scan the QR code on the user portal.

    Note

    Turning on MFA for the user portal also applies it to the captive portal and client authentication agents.

  • VPN portal: Users and administrators can scan the QR code on the VPN portal.

  • Web admin console: Administrators can also scan the QR code on the web admin console.
  • SSL VPN remote access
  • IPsec remote access

Tip

To establish remote access VPN connections, users must first scan the QR code on the VPN portal.

Note

Currently, the Sophos Connect client for remote access VPN doesn't support OTP challenge. It sends the password and OTP details in passwordotp format to the authentication server. So, when the authentication server sends an OTP challenge to users, it doesn't receive the OTP alone, and authentication doesn't take place.

The Sophos Connect client supports Call and Push-based MFA. The user portal and web admin console support these and challenge-based MFA.

OTP timestep settings

(Optional) Click OTP timestep settings, then configure the following settings:

Setting Description
Default token timestep

Interval at which the authenticator app or hardware token generates new passcodes.

You must enter the interval used by the app or hardware token.

Default: 30 seconds

Maximum verification code offset

The number of timesteps a passcode remains valid for.

For example, for an offset value of 2 and a 30-second timestep, users can enter any unused passcode from the previous 60 seconds.

Default: 2

Maximum initial verification code offset

The number of timesteps the first passcode remains valid for after users scan the QR code.

For example, for an initial offset value of 10 and a 30-second timestep, the first passcode generated remains valid for 300 seconds if it isn't already used.

Default: 10