What’s new in Sophos UTM Accelerated (9.2): #4 – Safer two-factor authentication

Network2FAData loss preventionUTMUTM 9.2 Accelerated

UTM-9.2-saferThis blog post continues our series introducing the great features you can look forward to in the upcoming UTM Accelerated (9.2) release. I’ll explain how we’re making two-factor authentication in Sophos UTM safer and … well, yes, simpler.

Two-factor authentication (2FA) may be nothing new. In fact, if you bank online, you may have been using it for years. Recent data breaches have shown that if more businesses used two-factor authentication, they could probably have saved themselves a lot of pain and money. We’re making 2FA easy to implement across your organization.

Simpler and safer two-factor authentication

Firstly, all the setup is done in the UTM WebAdmin console. That means you don’t need a third-party product that would cost extra money and also have to be managed separately. That makes it really simple to implement.

By adding additional users in the WebAdmin you can set them up for two-factor authentication using existing authentication services.
By adding additional users in the WebAdmin you can set them up for two-factor authentication using existing authentication services.

Secondly, you can decide which kind of authenticator you want to use for your one-time password. We support the OATH standard, so you can buy compatible hardware tokens for just a few dollars or euros each. But you can also save yourself that expense by using one of the free authenticator apps available for mobile devices. In that way, a user’s smartphone becomes the token.

In fact, we’ve built our own Sophos Authenticator – based upon the Google Authenticator but, of course, better – which will be available free of charge for both Android and iOS. Of course, you can use this app with the UTM but also with all of your accounts which require an HOTP or TOTP based second factor. If you would like to try out the beta version for Android, it’s available for download here. Once final, both versions will be available on the Apple and Google app stores.

Screenshot_2014-02-07-15-21-21
With the Sophos Authenticator, you can generate a one-time password meaning your smartphone becomes the token

Because we’ve based our solution on open standards, there’s no need to worry about Random Number Generators (RNG) which anybody may have any influence on whatsoever – it’s all perfectly secure. It also works with user accounts from any existing authentication service which the UTM is configured to use, e.g., Active Directory, LDAP, RADIUS, Local Authentication, etc.

What’s more, we haven’t tied our 2FA to just one part of the UTM; it’s simply part of the core product. In this release, you will be able to use it with the WebAdmin Portal, the User Portal, the Web Application Firewall, IPSec VPN, SSL VPN, the UTM shell login and for Wireless Hotspot access. In future releases, we plan to add more.

So what is a typical scenario which could benefit from adding two-factor authentication? Any business which has internal web apps can securely put them on the Internet by combining the authentication offloading in our Web Application Firewall (another 9.2 feature) with HTTPS offloading and 2FA. That’s not only a way for them to meet regulatory compliance needs, it’s also simple to implement. This can often be used to replace the need for secure VPN access, while offering equal security, and greater user convenience.

Come back to Sophos Blog for the next post in the coming days explaining more feature highlights of Sophos UTM Accelerated (9.2). Until then, should you have any questions, we’re only an email or a phone call away.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s