Multi-factor authentication

Sophos Central admins must sign in with multi-factor authentication.

Using multi-factor authentication (MFA) means that admins must use another form of authentication in addition to their username and password. Sophos Central guides admins through MFA setup the first time they sign in.

Admins can use Sophos Authenticator, Google Authenticator, SMS texts, or email authentication.

This page tells you how to do the following:

  • Sign in with multi-factor authentication for the first time.
  • Add another method for multi-factor authentication.
  • Sign in with an authenticator.
  • Sign in with email authentication if you don't have Sophos Authenticator or Google Authenticator.
  • Reset an admin's sign-in details, for example, if they lose their phone.

Sign in with multi-factor authentication for the first time

The first time you sign in with MFA, do as follows:
  1. At the sign-in screen, enter your user ID (email address) and password.

    A Set Up Your Login Information dialog explains that signing in needs additional authentication.

  2. In the next dialog:
    1. Enter the security code that has been sent to you in an email.
    2. Create a 4-digit PIN. This enables you to use email as an authentication method.
  3. In the next dialog, choose the authentication type.
  4. In Verify Your Device, scan the QR code and enter the security code that Sophos or Google Authenticator displays.

    You also need to enter a security code to verify a device if you've chosen SMS as your authentication type.

    Sophos Central Admin opens.

The next time you sign in, you only need to enter a code from Sophos or Google Authenticator when prompted.

Add another authentication option for multi-factor authentication

You can set up multiple authentication options for a Sophos Central Admin account.

You can authenticate with Sophos Authenticator, Google Authenticator, or SMS texts.

You must have an authentication option already set up.

To set up another authentication option, do as follows:

  1. Sign in to Sophos Central Admin.
  2. Click your account name and click Manage Login Settings.
  3. Click Create New Method.
  4. Choose another authentication method.
  5. Click Next.
  6. In Verify Your Device, scan the QR code and enter the security code that Sophos Authenticator or Google Authenticator displays.
  7. To confirm that the new method has been added, click your account name and click Manage Login Settings.
    An additional authentication method has been added.

Sign in using an authenticator

Find out how to sign in to Central Admin using Sophos Authenticator or Google Authenticator.

The account you use must be enrolled in multi-factor authentication. To verify this, see Set up multi-factor authentication.

To sign in, do as follows:

  1. Sign in to Sophos Central Admin.
    The Verify Your Login pop-up appears.
    Screenshot of prompt for authenticator security code
  2. Enter the code from the authenticator and click Submit.

You're now signed in.

Sign in with email authentication

If you don't have access to Sophos Authenticator, Google Authenticator, or SMS texts, you can sign in with email authentication instead.

  1. At the sign-in screen, enter the user ID (email address) and password.
  2. In Verify Your Login, click Choose Another Method.
  3. In Pick Your Challenge, click the email option.
    An email is sent to you. If you don't receive it within 5 minutes, the security code that it contains is no longer valid. To request another code, either refresh the Verify Your Login page or go back to the Pick Your Challenge page and click the email option again.
  4. Open the email and find the security code.
  5. In Verify Your Login, enter the security code and your 4-digit PIN.

You'll be asked for the security code and PIN each time you sign in from now on until you switch back to using Sophos Authenticator or Google Authenticator.

Reset an admin's sign-in details

If an admin replaces or loses their phone, you can allow them to set up their sign-in again.

Restriction You must be a Super Admin to use this feature.
  1. On the People page, under Users, find the user and click their name to open their details.
  2. In the user details on the left of the screen, you see their MFA status and settings. Click Reset and confirm that you want to do a reset.

The next time the admin tries to sign in, they'll need to go through the setup steps again.