Sophos XG Firewall: Enable Token2 classic hardware tokens for multi-factor authentication


 en français


Sophos XG Firewall: Enable Token2 classic hardware tokens for multi-factor authenticationThis article details how to configure the Sophos Firewall to add an extra layer of authentication by enabling multi-factor authentication using Token2 hardware tokens. 

Applies to the following Sophos products and versions


Most Sophos product versions support  two methods of creating OTP tokens:

  • Automatic –  ‘Auto-create OTP tokens for users' option enabled. The token is created upon initial login. This method can be used to provision with programmable tokens and the procedure is similar to this (starting from scanning the QR part). 
  • Manual - 'Auto-create OTP tokens for users' option disabled. This method should be used when provisioning classic hardware tokens. See the guide below for Deploying OTP tokens manually.


Please note that Sophos XG Firewall currently does not support SHA256 hardware tokens. Only SHA1 tokens can be used if you choose to provision classic tokens.

Enabling hardware tokens 

  1. Go to Configure > Authentication > One-Time Password then press the Settings button.
    Sophos XG Firewall: Enable Token2 classic hardware tokens for multi-factor authentication

  2. Enable One-Time Password

    Sophos XG Firewall: Enable Token2 classic hardware tokens for multi-factor authentication

  3. Add manual OTP token for users by going to Authentication > One-Time Password and clicking Add

    Sophos XG Firewall: Enable Token2 classic hardware tokens for multi-factor authentication


  4. Add secret and select the username to assign this token to. Please note that the secret should be added in Hex format. You can request the secrets of your hardware tokens here

    Sophos XG Firewall: Enable Token2 classic hardware tokens for multi-factor authentication


These steps should be enough to have the OTP for this user enabled. Kindly note that the default time step setting of Sophos is 30 seconds, which matches the time step of our classic hardware tokens and therefore does not need to be modified.

Advanced settings: Emergency Account Access

You can add up to 10 additional codes the user can use if they lose access to their hardware token and need to login immediately. The user would contact the administrator and ask for one of the additional codes or these codes can be sent to the user in advance. You can add these codes by clicking on edit for an existing user. At the bottom of the advanced section, there is a field called additional codes. Click on the + button and automatically create ten codes with six digits each.

Sophos XG Firewall: Enable Token2 classic hardware tokens for multi-factor authentication