Hi all
I've recently set out to utilise traditional hardware tokens as the OTP provider to complete my multi factor security deployment for my lab/test environment.
I perused the web and found the RFC's for the standard that the Sophos UTM supports, specifically the Time Based (TOTP) OATH specification.
TOTP - Time-based One-time Password Algorithm (RFC 6238)
RFC 6238 - TOTP: Time-Based One-Time Password Algorithm
After using Google, I came across this vendor of tokens that state to support the standard. There were others.
Feitian C200 Hardware token
OTP c200 | FEITIAN
To be open, I'm not associated with FEITIAN in any way.
The above tokens support Time Based OTP; and display a passcode with a simple press of a button on the device. They supposedly last for approximately 5 years.
Implementing them was surprisingly easy. During the enablement of the OTP facility, or if you've already enabled it, you can add your tokens to users.
To do this, OTP OATH tokens comes with seed values, which are either in plain text or PKCS format that allow an OATH server (as implemented on the UTM) to cryptographically derive a OTP every 60 seconds.
In my case, I manually added each token, copying in the seed value and adjusting the time step to 60 seconds - these specific hardware tokens have a fixed time step! The documentation I was supplied with noted this succinctly.
Any questions, happy to help where I can.
Azz
This thread was automatically locked due to age.
