Applies to the following Sophos product(s) and version(s)
Sophos UTM v9.2
What is OTP?
A one-time password (OTP) - also called two-factor or multi-factor authentication - is a password that is valid for only one login session or transaction and includes a static component (your primary password) as well as a time-dependent or temporary (one-time use) pass-code. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that in contrast to a single static passwords, they are not vulnerable to replay attacks. This means that a potential intruder who manages to obtain a OTP that was already used to log into a service or to conduct a transaction, will not be able to re-use (or abuse) that OTP.
- OTP Secret - Unique 128bit HEX key used in the algorithm to produce the passcode(s) for each user.
- OTP Passcode - Time-limited 6 digit code appended to users password for authentication on OTP-enabled UTM services (e.g. password123456)
- OTP Token - UTM object which is a collection of all the components required for using OTP’s for authentication (UTM User, OTP Secret, OTP passcodes (additional codes or Authenticator Tool generated)
How to configure OTP
Log in to WebAdmin and go to Definitions & Users | Authentication Services | One-time Password.
- Select the users who will use OTP for authentication.
- All Users - Check the box for 'All users must use one-time passwords'.
- Specific Users - Uncheck the box for 'All users must user one-time passwords'.
- The 'Users and Groups" box will be shown.
- Create (green '+' button) or add existing UTM users (green folder).
- Select how tokens will be created.
- Automatically - Check the box for 'Auto-create OTP tokens for users' (token created with first login).
- Manually - Uncheck the box for 'Auto-create OTP tokens for users' and see section below for 'Manual Token Creation'.
- Select which UTM services/facilities you wish to enable OTP's .
Important note: If you enable 'Shell Access' for OTP, this will impact remote SSH access to the UTM with the loginuser or root accounts. In order to login to the UTM remotely with SSH after enabling 'Shell Access' you need to ensure that an existing OTP Token/User, or a newly created OTP Token/User, has "Token can be used for shell access" enabled in their OTP Token. You will then be able to use the Google Authenticator Code, or Additional Codes, for that OTP Token/User along with your "normal" passwords for loginuser and root accounts (NOT the UTM user account where you set "Token can be used for shell access"). The password format for remote shell access using the loginuser account with OTP is <loginuser password><Google Authenticator Code OR Additional Codes> (e.g. password128363). Logging in to the UTM console directly with the loginuser or root account does not require the OTP code.
- Enable OTP by clicking on the grey toggle switch so it turns green.
When the user logs into the User Portal for the first time, they will be prompted with a bar code (see section below 'How to use OTP's') which they can scan with their smart-phone or tablet using the Google Authenticator app, which will then produce the one-time pass-code.
Manual Token Creation
To manually add an OTP token for a new user, click on the green plus ('+') button in the 'OTP Tokens' section. When the 'Add OTP Token' dialog box appears, click on the green plus ('+') to create a new user, or the green folder icon to add an existing UTM user to manually create a token. Next, type in a Secret for this user – this will come from the hardware token (e.g. YubiKey in TOTP/OATH mode) for that user, or you can use an online generator (e.g. Password Generator - Letters to Use=Hex, Length=64).
Under the 'Advanced' section, you can change the token timestamp for a user if it needs to be different from the default of 30 seconds. You can also hide the token information in the User Portal (this might be helpful if you don't want users to know the Secret - for example if you are using hardware token). If you allow token information in the portal, a QR code will appear with which the user can generate their token. You can also allow the token to be used for shell access.
Finally, Click ‘Save’ to add the user. You can also add more than one token to a user (if you are using hardware as well as software tokens, for example).
Emergency Account Access
You also can add up to 10 additional codes with which the user can use if they lost access to their authentication tool and need to login immediately. The user would contact the UTM administrator and ask for one of the additional codes. You can add these codes by clicking on edit for an existing user. At the bottom of the 'advanced' section, there is a field called 'additional codes'; when clicking on the '+' button, the UTM automatically creates 10 codes with 6 digits each.
How to use OTP's
The Sophos OTP implementation is a tOTP (time-based OTP) therefore you can only use authenticators or hardware tokens which are designed for tOTP. The recommended authenticator program for smart-phones and tablets is ‘Google Authenticator’. Type in your secret key in the app or scan the QR code you’ll find by logging into the User Portal – as shown in the screenshot below.
Important: When using Google Authenticator for Android devices, the only supported timestep is 30 sec.
With the key stored in the Google Authenticator App, a personal token will be automatically generated which will be valid for the configured timestamp (30 seconds with Google Authenticator).
Important: Typing in an incorrect passcode will cause the generated token to become invalid until the next timestep is reached - OTP passwords are only valid once per timestep.
When entering the password, you'll need to append the onetime pass-code after your normal password.
With OTP it will be:
<password><onetime pass-code> (e.g. password128363)