Migrate to SHA256 or SHA512
SFOS versions earlier than SFOS 22.0 use the SHA1 hash algorithm for multi-factor authentication (MFA). SHA1 is less secure than SHA256 or SHA512.
A user's MFA configuration can simultaneously contain SHA1, SHA256, and SHA512 tokens. SHA1 tokens can pose a security risk.
We recommend that you use SHA256 or SHA512 for better security.
To migrate to the SHA256 or SHA512 hash algorithm, do as follows.
Select a hash algorithm
You must select the SHA256 or SHA512 hash algorithm in the MFA settings.
To select the hash algorithm, do as follows:
- Go to Authentication > Multi-factor authentication.
- Under One-time password (OTP), turn on Generate OTP token with next sign-in.
- Under OTP hash algorithm, select SHA256 or SHA512.
- Click Apply.
Delete issued tokens in the firewall
You must delete the existing SHA1 tokens so users can't use them.
To delete the SHA1 tokens, do as follows:
- Go to Authentication > Multi-factor authentication.
-
Under Issued tokens, select the users using a SHA1 hash algorithm, then click Delete.
-
Click OK.
Note
To delete the default administrator tokens, you must sign in as the default administrator.
Users rescan the QR code
The users whose tokens you've deleted must do as follows:
-
Sign in to the VPN or user portal using only the password.
Note
For the default administrator, sign in to the web admin console using only the password.
-
Scan the QR code shown using an authenticator app that supports SHA256 or SHA512, such as Intercept X for Mobile and Google Authenticator.
Note
If you use an authenticator app that doesn't support SHA256 or SHA512, you can still scan the QR code, but the sign-in fails.
-
Sign in to the VPN portal, user portal, or web admin console as follows:
- Username:
<username> - One-time password:
<yourpassword><passcode>
- Username:
You've now migrated to the SHA256 or SHA512 hash algorithm.