Skip to content
The XG Series hardware appliances reached end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=authentication-MFA

Configure MFA with an authenticator app

To implement Multi-Factor Authentication (MFA) with an authenticator application, configure the MFA settings in the firewall.

The firewall supports SHA1, SHA256, and SHA512 hash algorithms.

Configure MFA settings in the firewall

If you haven't already configured the MFA settings, do as follows:

  1. Go to Authentication > Multi-factor authentication.
  2. For One-time password, select Specific users and groups.

  3. Click Add new users and groups, select the users and groups, and click Apply selected items.

    MFA users and groups.

  4. Turn on Generate OTP token with next sign-in.

    A QR code becomes available on the services where you require MFA.

  5. Select the services that require MFA.

    This example selects web admin console and SSL VPN remote access. User portal is selected by default for users to scan the QR code.

    MFA services.

  6. For OTP hash algorithm, select a hash algorithm.

  7. For OTP timestep settings, enter the timestep (time period) value the authenticator app requires.
  8. Click Apply.

Users generate passcodes

Sophos Firewall uses Time-based OTPs (TOTP).

Users must first sign in to the VPN or user portal to scan the QR code using their authenticator app. The app will generate the passcodes, that is, OTPs.

Note

We recommend that you use an authenticator app that supports SHA256 and SHA512, such as Sophos Intercept X or Google Authenticator.

Administrators can sign in to the web admin console or the user portal if you enforce MFA for the web admin console sign-ins.

To sign in to the services requiring MFA, users must enter the password in <password><passcode> format. See OTP token.

Note

You must use a hash algorithm that your authenticator app supports. If you use an authenticator app that doesn't support SHA256 or SHA512, such as Microsoft Authenticator, you can still scan the QR code, but the sign-in fails.