Action summary
This article explains how to configure Access Control to require a One-Time Password (OTP) in addition to an ID and password for admin logins.
Notes
- The content of this article is based on product specifications as of July 2026 and is subject to change without notice.
- When you perform this procedure, all users belonging to the configured Access Policy Group will be required to enter an OTP at login. Be sure to configure OTP for all affected users before starting operation.
- To prepare for situations where OTP cannot be entered, such as loss of a mobile device, we recommend storing an OTP emergency token.
* For information on issuing an OTP emergency token, refer to the "Using OTP Emergency Token" section in the article below.
[Access Control] OTP Issuance Method and Expiration Date - If the Access Policy is the same for both admins and users, enabling OTP will require OTP for login by all users to whom the policy is applied.
Please change the admin Access Policy as needed.
[Access Control] Creating / Editing Access Policy Groups
[Access Control] Assigning Access Policy Groups to Users - Enforcing OTP for users with admin privileges will be applied regardless of the OTP setting (enabled/disabled) in the Access Policy Group assigned to the user.
Procedure
-
From the Administration, go to [Access Control] – [Access Policy Groups].
-
Check the relevant policy and follow one of the procedures below depending on whether an admin policy exists.
* If the [Skip OTP authentication] setting is [Never allow OTP to be skipped] or [Allow OTP to be skipped when], OTP is already configured and this procedure is not required.If an Access Policy Group for admins exists
Follow this procedure to modify an existing Access Policy. Use this if initial setup is already complete.If an Access Policy Group for admins does not exist
Follow this procedure to create a new Access Policy. Use this if initial setup has not been performed.
If an Access Policy Group for admins exists
-
Open the Access Policy Group for admins and confirm that the settings for [Condition to change OTP secret] and [Condition to change OTP Notification Email] are set to one of the following:
- [Always allow]
- [Allow when] and the current source IP is accepted
* If set to [Always deny], change it to [Always allow] and click [Save Changes].
* If your security policy restricts OTP setup to either OTP app or email only, allow only the corresponding setting.
[Condition to change OTP secret]: Allow OTP setup via OTP app
[Condition to change OTP Notification Email]: Allow OTP setup via email notification -
From the menu at the top right of the Administration, select [User Portal].
-
From the menu at the top right of the portal screen, click [OTP (One-Time Password) settings] to configure OTP.
* For detailed setup instructions, refer to the articles below.- [Access Control] Setting up OTP (One-Time Password) with an Application
- [Access Control] Setting up OTP (One-Time Password) via Email
-
Return to the Administration and issue an OTP emergency token for the admin account from the Edit User screen.
* If OTP setup fails, login using the OTP emergency token will be required.
Be sure to issue and keep a record of it.- [OTP] – [OTP emergency token]: "Add new"
* For details on OTP emergency tokens, refer to the "Using OTP Emergency Token" section in the article below.
[Access Control] OTP Issuance Method and Expiration Date
- [OTP] – [OTP emergency token]: "Add new"
-
Edit the Access Policy Group for admins.
* For detailed editing instructions, refer to the article below.
[Access Control] Creating / Editing Access Policy Groups
Set the value as follows.- [Skip OTP authentication]: Never allow OTP to be skipped
- Log out from the Access Control portal screen.
- Verify that you can log in to the Access Control Administration using the admin account and OTP.
* For a login example, refer to the article below.
[Access Control] Login Image Using One-Time Password
If an Access Policy Group for admins does not exist
-
In the Access Control Administration, create a new Access Policy Group for admins.
* For detailed creation instructions, refer to the article below.
[Access Control] Creating / Editing Access Policy Groups
Configure as follows and click [Save].- [Display Name]: e.g., "Admin Access Rule"
* Set any display name you prefer. - [Condition to allow access]: Configure the Access Policy Template according to your security policy.
-
[Access Control] Creating / Editing IP Sets
* Only perform this step if you want to control access by IP. Create a group containing the IP addresses to be allowed. - [Access Control] Creating / Editing Access Policy Templates
- [Access Control] Creating / Editing Access Policy Groups
-
[Access Control] Assigning Access Policy Groups to Users
Example of Access Policy Template settings
* Assume that an IP Set named "internal-ip" has been created in advance to group internal IP addresses.
・Allow access by IP address only: @internal-ip@
・Internal: allow by IP address, External: allow login by certificate: @internal-ip@ or cert:any
・Internal: allow by IP address, External: allow login by Secure Browser: @internal-ip@ or hsb:true
-
[Access Control] Creating / Editing IP Sets
- [Skip OTP authentication]: Always allow OTP to be skipped
* If you require OTP before it is set up, you will not be able to log in. Please be careful. - [Condition to change OTP secret]: Always allow
- [Condition to change OTP Notification Email]: Always allow
- [Allowed services]: Check all
* If your security policy restricts OTP setup to either OTP app or email only, allow only the corresponding setting.
- [Display Name]: e.g., "Admin Access Rule"
-
Assign the created Access Policy Group to the admin.
* For detailed assignment instructions, refer to the article below.
[Access Control] Assigning Access Policy Groups to Users
In the Edit User screen, configure the following items.- [Access Policy] – [Access Policy Groups]: Select the Access Policy Group created in Step 1.
- [OTP] – [OTP emergency token]: "Add new"
* If OTP setup fails, you will not be able to log in. Be sure to issue and keep a record of it.
* For details on OTP emergency tokens, refer to the "Using OTP Emergency Token" section in the article below.
[Access Control] OTP Issuance Method and Expiration Date
-
From the menu at the top right of the Administration, select [User Portal].
-
From the menu at the top right of the Access Control portal screen, click [OTP (One-Time Password) settings] to configure OTP.
* For detailed setup instructions, refer to the articles below.- [Access Control] Setting up OTP (One-Time Password) with an Application
- [Access Control] Setting up OTP (One-Time Password) via Email
-
Return to the Administration and configure OTP for the Access Policy Group for admins.
* For detailed setup instructions, refer to the article below.
[Access Control] Creating / Editing Access Policy Groups
Set as follows and click [Save Changes].- [Skip OTP authentication]: Always allow OTP to be skipped → Never allow OTP to be skipped
- Log out from the Access Control portal screen.
- Verify that you can log in to the Access Control Administration using the admin account and OTP.
* For a login example, refer to the article below.
[Access Control] Login Image Using One-Time Password
Translation Disclaimer
This article has been automatically translated from the original Japanese version for your convenience.
While we strive to ensure accuracy, we cannot guarantee its reliability or completeness.
In the event of any discrepancies or questions regarding the content, the official Japanese version shall prevail.