Configuring One-Time Passwords
Last Updated: 8/16/2017 1688 Views 14 Users found this article helpful

One-Time Password (OTP) is a two-factor authentication scheme that utilizes system generated, random passwords in addition to standard user name and password credentials. Once users submit the correct basic login credentials, the system generates a one-time password which is sent to the user at a pre-defined email address. The user must retrieve the one-time password from their email, then enter it at the login screen. Select the Require one-time passwords checkbox to enable this functionality requiring SSL VPN users to submit a system-generated password for two-factor authentication.

Each one-time password is single-use. Whenever a user successfully enters a valid user name and password, any existing one-time password for that account is deleted. Unused one-time passwords time out according to the time-out value set on the Users | Settings | User Session Settings interface. Administrators can enable one-time password on a Local User or Local Group basis.

This article describes how to configure one-time password.


Configuring OTP involves performing the following steps:

Configure Mail Server Settings

To use the one-time password, the appliance must have access to a correctly configured SMTP server.

Login to the SonicWall management GUI
Navigate to the Log | Automation page.
Enter mail server information under Mail Server Settings.

Enable OTP for a Local User

Navigate to the Users | Local Users page.
Click on Add User (or edit an existing user).
Enter a name and password for the user (for a new user).
Enable check box Require one-time passwords.
Under the E-mail address field enter the email address where the one-time password must be sent.
Click on OK to save.

Alternatively, enable OTP for a Local Group

Enabling one-time password in a group will entail all members of the group to enter a one-time password when connecting. Therefore, each member of the group must be configured with an email address to send the one-time password. LDAP users’ email addresses are retrieved from the server when original authentication is done. Authenticating remote users through RADIUS requires administrators to manually enter enter email addresses in the management interface, unless RADIUS user settings are configured to Use LDAP to retrieve user group information.

Navigate to the Users | Local Groups page.
Click on Add Group (or edit an existing group).
Enter a name for the group.
Enable check box Require one-time passwords.


When a user enabled with one-time password tries to login to SSL-VPN, the following prompt will appear after the user has been authenticated with the local username and password:


Simultaneously, a temporary password will be sent to the email address configured under the user. Copy and paste the password in the above page. On being authenticated, the following message will be displayed on the browser page:

Firewalls>SonicWall TZ Series , Firewalls>SonicWall SuperMassive E10000 Series , Firewalls>SonicWall SuperMassive 9000 Series , Firewalls>SonicWall NSA Series

Liquid Layer Networks
SSD Anycast Global Web Hosting