Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

AstaroOS: Support for Two-Factor Authentication (SMS,Token, OTP, Moble App etc..)

Dual-factor authentication is much stronger than password-based authentication which Astaro now using. Astaro has implemented the certificate authority and OpenVPN project has implemented support for PKCS#11 in version 2.1. What there is left ? Only to implement dual-factor authentication in Astaro.

275 votes
Sign in
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Ales KotmelAles Kotmel shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


    Sign in
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      • MYNMYN commented  ·   ·  Flag as inappropriate

        We are having Sophos SG430 with firmware 9.355 but it doesn't support SMS for 2 factor authentication.

        so far TOTP is the one and only option to use 2FA feature.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Any more details on release date of 9.2?
        The plan for later in 2013 (from May 2013) seem rather outdated

      • WSWS commented  ·   ·  Flag as inappropriate

        Please allow authentication against SMSPasscode and RSAId for the second factor. Perhaps it could be implemented as a Radius Client for the second factor? Seen it done as a second factor via Radius to say, RSAId or SMSPasscode which can be a Radius server.

      • rbarbrowrbarbrow commented  ·   ·  Flag as inappropriate

        Google Authenticator and yubico are my votes on this. (also just as a fyi yubico has a nfc option that doesn't work with iphone as of iphone 5 but should work with most new android and the iphone 5s if that has nfc)

      • Leon KrownLeon Krown commented  ·   ·  Flag as inappropriate

        Adding compliance with Google Authenticator would wonderful. Codes via SMS would be a nice fallback option. Don't try to home bake your own system, use a system already proven, accepted and very well tested and free like GA.

      • GunnarGunnar commented  ·   ·  Flag as inappropriate

        I do hope for Radius Challenge Response to be added, as real time session secure based 2FA is a market demand today.
        We have customers that used to use Astaro, but have changed this with something else, that supports Challenge response.

      • Markus KreisslMarkus Kreissl commented  ·   ·  Flag as inappropriate

        Finally, there's a solution: you can use the 2FA product of SecurEnvoy ( I downloaded, installed, configured to work together with the ASG and tested it: it really works! Why? No challenge-response process but Passcodes via SMS in advance or via seed-based calculation as a Softtoken App on your smartphone. It's up to you what you want to secure, all is possible from Webadmin, over Enduser portal to VPN connections. Instead of merely user name and password (which is e.g. even the Microsoft AD password of the user) you now use username in one line and in the password line the original password followed by the 6-digit dynamic passcode. Any further questions? Contact me: (English Oder German language).

      • Markus KreisslMarkus Kreissl commented  ·   ·  Flag as inappropriate

        To my opinion, YubiKey's would not be that good. As far as I can see, there's no possibility to integrate devices which has no acceptance of a usb keyboard, like smartphones and tablets etc...

      • Anonymous commented  ·   ·  Flag as inappropriate

        Please provide a build in dual Factor authentication as soon as possible. Especially if the HTML5-VPN Feauter is used, a more secure way to Auithenticate ist needed!!

      • Adrien BelcourtAdrien Belcourt commented  ·   ·  Flag as inappropriate

        There are very separate features merged and mixed in this thread:

        Implementation of challenge-response support for the SSL VPN client and for RADIUS on Sophos UTM to support highly authenticated VPN access.

        Setting up the wireless hotspot to capture mobile number for deliver of OTP (one time password) requiring challenge response support also. Wireless hotspot access authentication needs beefing up.

        It would be fantastic to have built in support for dual factor authentication out of the box - but this is completely separate feature. It does not require support for challenge response - but it would be so much better - especially for the hotspot feature above - if it did.

        The full implementation of challenge response user dialogue handlers for each of WebAdmin, User Portal and Hotspot Portal (as well as for the SSL VPN client of course).

      • Adrien BelcourtAdrien Belcourt commented  ·   ·  Flag as inappropriate

        I would like to see this done for Hot Spot authentication. You provide a username and password to the user in the normal way printed on a bit of paper. They then enter these details into the hotspot portal, which then asks them for a mobile number to send a One Time Password to. They get an SMS with a OTP which they then enter to gain access.


        1. Astaro gets to register a Mobile number against an otherwise anonymous internet user.

        2. Access is limited to the owner of the mobile phone, people who pick up a discarded paper with U/P cannot do anything with it.

        It now costs 20 euros per month for unlimited texts. Challenge response is the perfect way to interface this form of two factor authentication to the back end AD system. You could even use this to get Users to register themselves onto an AD system.

        What's not to like.

        Also see
        for similar feature request.

      • Adrien BelcourtAdrien Belcourt commented  ·   ·  Flag as inappropriate

        Wow - this feature request has been open since 2009, and 2FA has been around since what, the 90s???

        I would like to be able to have a Sophos UTM provide a dual factor authentication mechanism - out of the box - for locking down

        1. Webadmin
        2. User Portal
        3. Roadwarrior VPN access

        At the moment WebAdmin out of the box is vulnerable to

        a) shouldersurfing
        b) keylogging
        c) password harvesting duplicate passwords (i.e. Webadmin pw = Twitter pw)
        d) TCP session replay
        e) Brute force attacks
        f) Man in the middle attacks

        I know I am supposed to be unbearably upbeat about this security product here, but seriously guys - a security device who's primary means of authentication is still only passwords. You must be kidding, right?

        I am pretty sure that most security experts think that passwords are not a good enough form of authentication for a security device that is protecting the IP (which does not stand for Internet Protocol in this context) of the companies it is sold to. Any hacker's response to the statement - that passwords were enough - would be to ROFLOL pause for a second and then ROFLOL some more.

        Please don't say - "but you can buy a bolt on RADIUS server from RSA/Vasco/etc. to fix this - and BTW sorry about the lack of challenge response". The whole point of Astaro is that 99/100 I should not need to spend extra money buying enhanced and more expensive versions of smart features like WAF, Wireless or RED from third parties. I want a smart feature like 2FA and preferably with the following features:

        - One Time Passwords
        - Password is tied to the SSL Session ID
        - Uses SMS messaging which now costs 20 euros per month for unlimited texts

      • FirebearFirebear commented  ·   ·  Flag as inappropriate

        Would like to say something to the comment :
        "Elmar Haag commented · December 15, 2009 9:38 a.m"
        The workaround you discribe here maybe could be the Userportal?

      • DennisDennis commented  ·   ·  Flag as inappropriate

        you could argue if it's benificial to just the certificates in combination with a username/password. But i think there is differentiation between SMS/OTP and/or hardware 2 factor authentication. The other users seem to think so aswell as there are at the time of my comment 134 votes to this request.

      ← Previous 1 3 4

      Feedback and Knowledge Base

      icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.