Compatible hardware tokens for the XG

Question

Long story short, we have a user with an outdated phone that they refuse to upgrade, but still want access to our SSL VPN with OTP. Can't get the sophos authenticator or Google authenticator. They are the type that would still have a flip phone if they could. 
 Anyway, I have been asked to see if we could order a compatible hardware token, and if so how to add it? Google comes up some stuff, but I can't seem to string together the right words to find a list of compatible tokens. Do you know if we can use pretty much any TOTP hardware token? Is there a recommended one to use? 
 I also can't seem to find a way to add seed files or key files to the XG for a couple of existing tokens we do have. Do you have any suggestions? Thanks for your help.

FloSupport · Accepted Answer

Updated - Sep 9th, 2022 
 
 Hey svk253 
 You should be able to use any TOTP hardware token, I would advise to inquire with your Sophos Partner for any suggestions. 
 You would create a manual OTP token object, and input your hardware token's secret (in hexadecimal format). Currently, we only support time-based OTP (TOTP) where the token increments the code on a regular time period. 
 All the TOTP token are stored using SFOS's secure storage mechanism which uses SHA-256 encryption to ensure that token seeds stored on the Firewall are protected. 
 I'll provide the links for instructions to reference during your setup: 
 
 Sophos XG Firewall: How to add token 
 
 Add the unique HEX key provided by the hardware token manufacturer and ensure that the configured time interval also matches.

More info on setting up 2FA for VPN access: 
 
 Product Documentation: Sophos Connect Client 
 
 Related KBA: Sophos XG Firewall: Sophos Connect Client

End User Info on how-to connect 
 
 "Your firewall administrator may have configured one of the following types of multi-factor authentication:..."

Regards,

Compatible hardware tokens for the XG

Top Replies