Enabling Multifactor

Authentication on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
FW3545: Enabling Multifactor Authentication on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Enabling Multifactor Authentication on Sophos Firewall - 1

 Enabling Multifactor Authentication on Sophos Firewall

In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure multi-factor ✓ Configuring authentication and users on Sophos
authentication on Sophos Firewall
Firewall and how this changes
the way in which users
authenticate.

DURATION

9 minutes

In this chapter you will learn how to configure multi-factor authentication on Sophos Firewall and
how this changes the way in which users authenticate.

Enabling Multifactor Authentication on Sophos Firewall - 2

 Multi-factor Authentication

Multi-factor authentication means that two pieces of information

are required to login:
• Something you know
• Something you have

Sophos Firewall supports multi-factor authentication using one-time passwords

One-time passwords can be software tokens or hardware tokens that conform to RFC
6238

Multi-factor authentication means that two pieces of information are required to login:
• something you know, your password, and
• something you have, your token

Sophos Firewall supports multi-factor authentication using one-time passwords.

There are different types of one-time password. You can use either software tokens, such as the
Sophos Authenticator App or Sophos Intercept X App that are available for Android and iOS, or
hardware tokens, if they conform to RFC 6238.

Please note that RSA tokens are not supported.

Enabling Multifactor Authentication on Sophos Firewall - 3

 One-Time Passwords
Time Time
456789

User 345678 Sophos Firewall

234567
123456
Key Key
567890
Token Algorithm Token Algorithm

678901

Let’s look at how one time passwords work. In this diagram we have the user with their token on
the left, and the Sophos Firewall on the right.

The user has a token that contains a key and gets the time from a synchronized clock. These are
processed using the algorithm described in RFC 6238 to produce the token code.

The Sophos Firewall needs to have the same key and be synchronized to the same clock so that
when it calculates the token code it comes out with the same number.

To allow for variations in the time between the token and the Sophos Firewall, it will accept the
previous and next token code as valid by default. This is the token offset step and can be changed
in the settings.

Enabling Multifactor Authentication on Sophos Firewall - 4

 One-time passwords are configured in:
CONFIGURE > Authentication > Multi-factor
Configuration Authentication

Optionally select which users

need to use OTP

Create software
tokens for users

Where Sophos Firewall

will require OTP

OTP timestamp settings

Multi-factor authentication is not enabled by default and must be turned on. This can be done for
either all users, or a selected set of users and groups.

You can choose to have the Sophos Firewall automatically generate a token secret (key) when
users try to authenticate, and they don’t have one. Sophos Firewall generated secrets can be used
with software tokens. Hardware tokens need to be added manually.

Sophos Firewall can use multi-factor authentication to improve the security of the WebAdmin,
User Portal (including the Clientless VPN Portal), and SSL and IPsec remote access VPNs.

You can configure the global token settings. For example, if you are using a hardware token with a
60 second timestep you can configure this here. You can also configure the passcode offset steps
which we discussed in the previous slide.

Enabling Multifactor Authentication on Sophos Firewall - 5

 Adding Tokens Manually

Optionally override the

global token timestep

To add a token, you simply need to specify the secret, which is a 32-to-120-character HEX string
and select which user to assign the token to.

Optionally, the global timestep can be overridden, which may be necessary if you are using a
mixture of tokens.

Enabling Multifactor Authentication on Sophos Firewall - 6

 Adding Tokens Automatically

The password becomes <User_Password><Generated_Password>

Now let’s look at how tokens can be automatically generated for users.

When a user logs into the User Portal for the first time after one-time passwords have been
enabled, the Sophos Firewall will generate and display the information they need to configure a
software token. In most cases this can be done automatically by scanning the QR code with an app,
such as the Sophos Authenticator App.

Once the token is configured, the user clicks Proceed to login.

The user will then be presented with the User Portal login again. This time they login with their
password and append their current token code.

Enabling Multifactor Authentication on Sophos Firewall - 7

 Sophos Authenticator App

training-user@C01001CP99YB30E

This shows an example of the generated password on the Sophos Authenticator App.

Enabling Multifactor Authentication on Sophos Firewall - 8

 Additional Token Settings

Here we can see a token for training-user that we will use to consider two scenarios.

In the first scenario, the user has their token, but the login is failing.

This might be caused if the time of the token and Sophos Firewall are out of sync. To resolve this,
you can enter the current passcode into the firewall, and it can compensate for the time
difference.

Enabling Multifactor Authentication on Sophos Firewall - 9

 Additional Token Settings

Generate 10 one-time codes

that can be used

In the second scenario, the user is on the road but has dropped and broken the mobile phone that
has the Sophos Authenticator app on it. They need to access the SSL VPN, but it is secured using
OTP.

If this happens, you can add additional codes to the token. These are a set of single use codes that
will automatically be removed after they are used. They would have to be sent to the user in some
fashion, preferably through a secure channel, after they have been created. These codes will
persist until they are used, or an administrator removes them.

Enabling Multifactor Authentication on Sophos Firewall - 10

 Simulation: Enable Multifactor Authentication

In this simulation you will enable

multi-factor authentication on
Sophos Firewall. You will then test
your configuration.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/MFA/1/start.html

In this simulation you will enable multi-factor authentication on Sophos Firewall. You will then test
your configuration.

[Additional Information]

https://training.sophos.com/fw/simulation/MFA/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 11

 Chapter Review

Sophos Firewall supports multi-factor authentication using one-time passwords. These

can be either software tokens, such as the Sophos Authenticator, or hardware tokens if
they conform to RFC 6238

Tokens can be automatically generated so when a user logs into the User Portal after
one-time passwords have been enabled, the prompt to configure a software token is
displayed. Typically, this is done by scanning the QR code with an app

Additional codes can be added to a user’s token if the user does not have access to the
OTP app. These are a set of single use codes that will automatically be removed after
they are used

Here are the three main things you learned in this chapter.

Sophos Firewall supports multi-factor authentication using one-time passwords. These can be
either software tokens, such as the Sophos Authenticator, or hardware tokens if they conform to
RFC 6238.

Tokens can be automatically generated so when a user logs into the User Portal after one-time
passwords have been enabled, the prompt to configure a software token is displayed. Typically, this
is done by scanning the QR code with an app.

Additional codes can be added to a user’s token if the user does not have access to the OTP app.
These are a set of single use codes that will automatically be removed after they are used.

Enabling Multifactor Authentication on Sophos Firewall - 16

Enabling Multifactor Authentication on Sophos Firewall - 17