On the Definitions & Users > Authentication Services > One-time Password tab you can configure the one-time password (OTP) service, and you can monitor or edit the tokens of the one-time password users. One-time passwords are a method to improve security for password-based authentication. The user-specific password, which is sometimes too weak, will be amended with a one-time password that is valid for only one login. Thus, even if an attacker gets hold of it, he will not be able to log in with it.
One-time passwords generally change consistently, in regular intervals, being calculated automatically by a specific algorithm. Soon after a new password is calculated, the old password expires automatically. To calculate one-time passwords, users need to have either a mobile device with an appropriate software, or a special hardware or security token. Hardware tokens are ready to use from the start. On the mobile device, end users need to install Google Authenticator or a similar software and deploy the configuration, which is available in the User Portal as a QR code, on the start page or on the OTP Token page (see User Portal page). Having done that, the device calculates one-time passwords in token-specific intervals. It is important that date and time are correct on the mobile device as the time stamp is used for one-time password generation.
Note – To authenticate on the facilities where the one-time password is required, users have to enter their user-specific Sophos UTM password, directly followed by the one-time password.
You can also generate one-time passwords, also known as passcodes, manually. In this case, you have to ensure that these not time-limited one-time passwords are safely transmitted to the end users. This process, however, should only be considered as a temporary solution, for example when users temporarily have no access to his or her password calculating device.
Note – Once an OTP token is created an information icon appears on the right side for each token. You can view the QR code and its details by clicking on the information icon.
Enabling and Configuring One-time Password Service
To configure the one-time password service, do the following:
All users must use one-time passwords: By default, this checkbox is enabled and all users have to use one-time passwords. If only specific users should use one-time passwords, disable the checkbox and select or add users or groups to the box.
Caution – If you disabled the function All users must use one-time passwords, this automatically affects the Users/Groups in other parts of Sophos UTM. For example, Reverse Authentication.
Note – The option Create users automatically must be activated for users with backend authentication. You can find the option under Definitions & Users > Authentication Services > Global Settings > Automatic User Creation.
Auto-create OTP tokens for users: If selected, a QR code for configuring the mobile device software will be presented to the authorized users the next time they log in to the User Portal. For this to work, make sure that the users have access to the User Portal (see Management > User Portal pages). When users log in to the User Portal, their respective token will appear in the OTP Tokens list. Enabling this feature is recommended when you are using soft tokens on mobile devices. If your users only use hardware tokens you should instead disable the checkbox and add or import the tokens before enabling the OTP feature.
Hash algorithm used: Select a hash algorithm (RFC 6234) to encrypt the auto-created OTP tokens.
Enable OTP for facilities: Here you select Sophos UTM facilities that should be accessed with one-time passwords by the selected users. When you select the Auto-create OTP tokens for users checkbox, the User Portal needs to be enabled for security reasons: As the User Portal gives access to the OTP tokens, it should have no weaker protection itself. To activate OTP for secure shell access, you have to additionally enable shell access usage for the respective tokens (see Adding or Editing OTP Tokens Manually). The corresponding users then have to log in as loginuser with the loginuser password, appended by the one-time password.
Caution – Especially when selecting WebAdmin or Shell Access for OTP usage, you have to ensure that the selected users have access to the one-time password tokens. Otherwise you may log them out permanently.
In the Timestep Settings section, make the following settings:
Default token timestep: To synchronize one-time password generation on the mobile device and on Sophos UTM, the timestep has to be identical on both sides. Some hardware tokens use 60 seconds.Other software OTP tokens use a timestep of 30 seconds which is the default value here. If the timestep does not match, authentication fails. The value entered here is used automatically for each new OTP token. The allowed range for the timestep is 10-120.
Maximum passcode offset: With help of this option you can set the maximum passcode offset steps. This means if you for example set 3 steps you restrict the clock of a token to drift no more than 3 timesteps between two logins. The maximum passcode offset requires a range of 0-10.
Maximum initial passcode offset: With help of this option you can set the maximum initial passcode offset steps. This means if you for example set 10 steps you restrict the clock of a token to drift no more than 10 timesteps between two logins. The maximum initial passcode offset requires a range of 0-600.
Your settings will be saved.
If you use hardware tokens, import or add them into the OTP Tokens section.
Click the Import icon on the top right of the list. Select the method CSV Import. Then paste the CSV separated data into the text box and click Save.
PSKC Upload: OTP tokens which are using the OATH-TOTP standard are mostly delivered in a file which contains serial numbers and secrets using PSKC format. For encrypted files the decryption key is being supplied by out-of-band (paper-based). The standardized PSKC schema version 1.0 is supported (see https://tools.ietf.org/html/rfc6030).
Note – Please refer to the following draft for additional information about the TOTP profile: draft-hoyer-keyprov-pskc-algorithm-profiles-01.txt.
Click the Import icon on the top right of the list. Select the method PSKC Upload. Select the requested file and click Start Upload. If the file is encrypted, enter the Decryption Key and click Save.
Note – Sophos does not support public key encryption/authentication, only preshared key with AES/SHA1.
CSV Import: Use the data received from the hardware token vendor to generate a CSV file, using semicolons, in UTF-8 encoding. The file needs to contain three columns with the following content: secret, timestep, and comment. The secret, a unique, device-specific string, is mandatory, and should have a hexadecimal format and a length of minimum 128 bit. The other columns may be empty. If timestep is empty, the default token timestep defined in the OTP Settings section is used.
After the import/upload you can modify the entries using the Edit icon. Additionally, you can always add single entries by clicking the Plus icon (see Adding or Editing OTP Tokens Manually).
Enable the one-time password service.
Click the toggle switch on top of the page. The toggle switch turns green.
If Auto-create OTP tokens for users is enabled, as soon as one of the users specified for one-time password authentication logs in to the User Portal for the first time, Sophos UTM auto-creates the OTP token entry if it was not generated up front. Additionally, the Reset icon of the entry is enabled.
Using the toggle switch of an entry you can disable it, for example in case a user has lost his hardware token. Using the appropriate icon, you can delete an entry, for example if a hardware token is broken. Be aware that in both cases, if the Auto-create OTP tokens for users option is enabled, users can still re-authenticate because they have access to the token secret. In the OTP Tokens list, a new entry will be displayed.
On the top right of the OTP Tokens list, a search box and navigation icons are available to navigate through and to filter the list.
Cross Reference – Find information about configuring OTP in the Sophos Knowledge Base.
In the OTP Tokens area are some additional functional icons.
|Sets the token to a 'never-used' state, the so-called initial state. If the reset was performed, users will see the QR code again when logging in to the User Portal. The reset function is available if users logged in with OTP at least once.|
|Shows that the token is configured to be used for remote shell access.|
|Shows that the token information will not be displayed in the User Portal.|
|Shows additional token codes.|
|Allows you to show the token time-offsets.|
|Shows the QR code of the token and its information.|
You can add or edit OTP tokens.
Tip – Usually you would not add single OTP tokens but either import them—in case of hardware tokens—or, using mobile devices, automatically generate them, using the Auto-create OTP tokens for users option.
Open the dialog to add or edit the OTP token.
To add an OTP token, click the green Plus icon on the top right of the OTP Tokens list.
To edit an OTP token, click the Edit icon in front of the respective entry in the OTP Tokens list.
Make the following settings:
Secret: This is the shared secret of the user's hardware token or soft token. A hardware token has an unchangeable secret, given by the hardware producer. The soft token is created randomly by Sophos UTM, when Auto-create OTP tokens for users is enabled. The secret should have a hexadecimal format and a length of 128 bit.
Comment (optional): Add a description or other information. This text will be displayed with the QR code in the User Portal. If you define different tokens for one person, e.g., a hardware token and a soft token for the mobile phone, it is useful to enter some explanation here as users will be displayed all QR codes side by side.
Optionally, make the following advanced settings:
Use custom token timestep: If you need another timestep for a token than the default token timestep defined in the OTP Settings section, enable this checkbox and enter the value. The timestep defined here has to correspond with the timestep of the user's password generation device, otherwise authentication fails.
Hide token information in User Portal: If enabled, the token will not be displayed in the User Portal. This can be useful for hardware tokens, where no configuration is needed, or for example when the soft tokens should not be configured by end dusers, but centrally, by you.
Token can be used for shell access: If enabled, the token can be used for command-line access to Sophos UTM. For this to work, shell access has to be enabled in the OTP Settings section, and shell access with password authentication has to be enabled for Sophos UTM in general (see Management > System Settings > Shell Access). OTP tokens with permission for shell access have a Command Shell icon on the right. For one-time password shell access, users then have to log in as loginuser with the loginuser password, appended by the one-time password.
Additional codes (only when editing an OTP token): You can add one-time passwords manually for a token. Either click the green Plus icon to enter one one-time password at a time, or use the Generate button to generate 10 one-time passwords at once. You can also import or export the one-time passwords using the Action icon. These one-time passwords are not time-limited. One-time passwords will be deleted automatically when users have logged in with it. OTP tokens with additional one-time passwords have a Plus icon on the right. Hovering the cursor on it shows the list of one-time passwords.
Your settings will be saved.
Synchronizing OTP Token Time
When hardware OTP tokens, their build-in quartz clocks might run slower or faster than 'real world' clocks. VASCO token specification for example allows a time-drift of about 2 seconds each day. After some month, the time drift of the hardware token might be so big, that the OTP code on the token will not match the calculated OTP of Sophos UTM anymore and also be so high that it does not match the default accepted OTP windows of +/- one token code. So the OTP code will be denied by Sophos UTM.
Each time users log on to Sophos UTM using a valid hardware token code, Sophos UTM calculates whether the token code is more than one time-step value away or not. If yes, Sophos UTM changes the token-specific time drift value automatically.
With Sophos UTM you can calculate the time-offset and synchronize it. Proceed as follows:
In the OTP Tokens area click on the Stopwatch icon.
The check OTP token time-offset dialog box opens. The current offset for this token is displayed.
Enter the Token Passcode.
The token passcode is a six digit number created by the hardware device.
The result will be displayed after a few seconds. If the passcode was vaild the message says if and how many timesteps the token is off.
If you want to set the offset for the token, click OK.
The token time-offset is updated.
The dialog box closes.