In our introductory article, Two Factor Authentication with Sophos UTM – Concepts and Considerations, we discussed some of the options for choosing a Two Factor Authentication solution for your environment.
We came to the conclusion that the use of One-time Password (OTP) by way of a soft token, is a very flexible solution that adds great security with very few penalties. It is in fact the same method used by Google for the Google authenticator.
This article shows you how to start using two factor authentication and OTP to lock down the administration of your Sophos UTM – without locking yourself out!
Step 1. Get some strong entropy
You will need to specify a hexadecimal octet string that is 40 characters long. If you are good at coming up with string like “aaa85e0ca44f0c168106c3c5d74dde5b60419fa8” you can generate it on your own. For the rest of us, one of the following methods should be used.
If you’re using an Apple Mac or Linux distro containing OpenSSL, you can use it to generate a random value for you with the following command:
openssl rand -hex 20
Otherwise, you can make use of Browserling’s Random HEX Generator to generate your 40 digit HEX code.
Step 2. Download an OTP Authenticator App
On your smart device, install either of the following apps:
- Sophos Authenticator (Google Play Link, Apple App Store Link)
- Google Authenticator (Google Play Link, Apple App Store Link)
They use the same open standard which means the apps are identical in function.
Step 3. Turn on the One-time Password (OTP) Service
Like many features on Sophos UTM, One-time Password is available but disabled by default.
To make sure that you do not lock yourself out of the UTM, do the following with a secondary admin account before enabling it on your primary account.
- Navigate to Definitions & Users | Authentication Services | One-time Password
- Toggle the On/Off switch to On
- Click the + button to generate a new token
- Select your secondary admin user account
- Paste the strong hexadecimal octet string as the secret
- Expand Advanced and check hide token information in User Portal
- Click Save
Next, you need to enrol for the token on your device so it can generate OTPs for you.
- On the right hand side click the small grey “i” icon
- This presents a QR code you can use to enrol you device with
- Grab you smart device and open the Authenticator App you downloaded earlier (either Sophos Authenticator or Google Authenticator)
- Tap Scan QR code, point the camera at the QR code on screen, and you are done.
Step 4. Require Two Factor Authentication for Web Administration
At this point you have generated a token for yourself (well, for your secondary admin user account), but you have not specified where it should be used.
In the Authentication Settings section:
- Uncheck All users must use one-time password
- Add your secondary admin user account
- Check the box for Enable OTP for WebAdmin
- Click Apply
Step 5. Try it out!
Make sure you have an admin account that does not already require OTP before you go ahead.
- Log out of the current session
- Log back in again, and enter the same username and password you usually use
- Get your PIN from your token and append it to the password
- Click Login
As an example:
- Username = username as in admin2
- Password = password + OTP as in [email protected]$$word224453
You should now be logged on with your stronger Two Factor Authentication method. If you try to log in without your OTP appended, Sophos UTM will simply give you an incorrect password error. It does not say anything about a token being required, which is good, since verbose error messages give away information that could be used in cracking attempts. If you think about it, incorrect password is accurate as when Two Factor Authentication is enabled, the password is dynamic, changing all the time.
Now you have confirmed everything is working, you can go ahead and repeat the process for your primary admin user account.
Your Sophos UTM’s administration is now more secure because it requires not just one but two factors of authentication. Even if you never roll out Two Factor Authentication for any of your users, you really should do this for your UTM administrators.
This guide stepped through the process of manually enrolling a user for OTP. I prefer this for the administrator account because it gives me the freedom to source my entropy from anywhere. You could in theory even set your administrator on multiple UTM’s to use the same secret, meaning that they will accept the same token.
In the next article, I will show you how to setup OTP for your users using the simpler user self-enrolment process.[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]