Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 14429 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

My Experience: Sophos OTP Auth with Hard Tokens

AzRoN
Hi all

I've recently set out to utilise traditional hardware tokens as the OTP provider to complete my multi factor security deployment for my lab/test environment.

I perused the web and found the RFC's for the standard that the Sophos UTM supports, specifically the Time Based (TOTP) OATH specification.

TOTP - Time-based One-time Password Algorithm (RFC 6238)
RFC 6238 - TOTP: Time-Based One-Time Password Algorithm

After using Google, I came across this vendor of tokens that state to support the standard.  There were others.

Feitian C200 Hardware token
OTP c200 | FEITIAN

To be open, I'm not associated with FEITIAN in any way.

The above tokens support Time Based OTP; and display a passcode with a simple press of a button on the device.  They supposedly last for approximately 5 years.

Implementing them was surprisingly easy.  During the enablement of the OTP facility, or if you've already enabled it, you can add your tokens to users.

To do this, OTP OATH tokens comes with seed values, which are either in plain text or PKCS format that allow an OATH server (as implemented on the UTM) to cryptographically derive a OTP every 60 seconds.

In my case, I manually added each token, copying in the seed value and adjusting the time step to 60 seconds - these specific hardware tokens have a fixed time step!  The documentation I was supplied with noted this succinctly.


Any questions, happy to help where I can.

Azz


This thread was automatically locked due to age.
Parents
  • 0

    AzRoN thank you very much for sharing your experience.  I have recently started researching which hardware token to go with.  We have some employees who refuse to install an authenticator on their personal devices.  But I still need to support 2FA for their VPN connections.  Based on your post, I have just ordered a batch of 5 tokens to start testing with.  I'll try to remember to post back my results. 

  • 0 in reply to candal02

    AzRoN did you receive the seed data via an email or documentation shipped with the tokens?  I ordered a batch of 5 tokens and didn't receive the seed/secret key anywhere.  Just wondering how the process worked for you.

    Thanks!

  • 0 in reply to candal02

    candal02 said:

    AzRoN did you receive the seed data via an email or documentation shipped with the tokens?  I ordered a batch of 5 tokens and didn't receive the seed/secret key anywhere.  Just wondering how the process worked for you.

    Thanks!

     

     

    Please disregard.  I didn't check all my email accounts.  It turns out they did indeed send us the seed file.

    Thanks again.

  • +1 in reply to candal02

    Ok here is my final update.  I got the tokens and seed keys relatively quickly.  It was extremely easy to set up on the UTM (with the help of AzRoN's comments above).  The key is to set the 60 second custom token timestep.  I'm extremely happy with the results, as all my remote workers now have 2 factor authentication, with little to no effort on my part.  My only complaint, as I am coming from an RSA environment, is that now I have to manage/maintain a set of seed records (secret keys), so the keys can be assigned/reassigned, and not allow the seed records to be copied or compromised.  This was all handled in an encrypted database automatically by RSA.  But this is really a minor complaint, and an easy one to live with considering how much the RSA solution costs.

Reply
  • +1 in reply to candal02

    Ok here is my final update.  I got the tokens and seed keys relatively quickly.  It was extremely easy to set up on the UTM (with the help of AzRoN's comments above).  The key is to set the 60 second custom token timestep.  I'm extremely happy with the results, as all my remote workers now have 2 factor authentication, with little to no effort on my part.  My only complaint, as I am coming from an RSA environment, is that now I have to manage/maintain a set of seed records (secret keys), so the keys can be assigned/reassigned, and not allow the seed records to be copied or compromised.  This was all handled in an encrypted database automatically by RSA.  But this is really a minor complaint, and an easy one to live with considering how much the RSA solution costs.

Children
No Data