Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 27 subscribers
  • Views 1238 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OTP / 2FA "Sophos SF0" issue with multiple XG Firewalls on Reiner SCT G1

LHerzog

Hi,

we're evaluating hardware Tokens from Reiner SCT, quite commonly used in Germany.

OTP or 2FA is working fine with Sophos XG as long as you only have one Firewall.

Because the QR code is identified as name "Sophos SF0", whatever this means, if you have a second firewall and enable OTP there, scan the new QR Code, it will overwrite the existing "Sophos SF0" dataset without question. You will not be able to login to the first firewall.

Any idea, where the name Sophos SF0 comes from and if you can change that somehow? Maybe on the CLI?

Would be ways better, if this could be the hostname of the firewall instead of that generic SF0 name.



This thread was automatically locked due to age.
Parents Reply Children
  • +1 in reply to LHerzog

    Wondering, my Sophos Intercept X app does it correctly. So maybe the vendor of your app does read the wrong value in the QR Code? 

    Because the QR Code rawr format is: otpauth://totp/Email of User ?secret=suer=Sophos%20SFOS&period=30

    I assume, the QR Code Tool only Reads: Sophos SFO 

    It should use the Creds of the UPN in front of the secret. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    thanks for the explanation!

    I think generally it is OK to use the hostname or systemname. The email or user is probably used multiple times on some systems and this would cause the same trouble on that device.

    e.g. Sophos Central is just shown as "Sophos" on the authenticator.

    it has to be noted, that the authenticator has limited display length, not comparable to an smartphone app.

    So if we can hack that information Sophos SF0 somewhere, that would be really cool.

  • 0 in reply to LHerzog

    You could generate your own QR Codes. Simply scan your QR Code and change the Sophos SFOS to your name. 

    But i assume, this cannot be changed in the System itself. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni
    LuCar Toni said:
    Simply scan your QR Code and change the Sophos SFOS to your name.

    any suggestion ho wto do that? a specific software?

  • 0 in reply to LHerzog

    There are plenty of Tools only/offline available. 
    You need to decode the QR Code, which is not that hard (PS: You are working with secrets, so consider to work with something you trust or is offline). 

    Then convert it back to a new QR Code. QR Code is actually a simple "Language" of code. So plenty tools can en / decode. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    sure. thanks for your tips!

Cookie Information Banner