Multi-factor authentication

If you're a Super Admin, you can make some or all of the Sophos Central admins sign in with multi-factor authentication.

Using multi-factor authentication means that admins must use another form of authentication, and their username and password.

Admins can use Sophos Authenticator, Google Authenticator, SMS, or email authentication to sign in.

Multi-factor authentication is turned on by default for newly created Sophos Central accounts.

This page tells you how to do the following:

  • Set up multi-factor authentication.
  • Sign in with multi-factor authentication for the first time.
  • Add another method for multi-factor authentication.
  • Sign in with email authentication if you don't have Sophos Authenticator or Google Authenticator.
  • Reset an admin's sign-in details, for example, if they lose their phone.
  • Turn off multi-factor authentication for an admin.

Set up multi-factor authentication

If you're a Super Admin, you can choose how your administrators sign in.

To set up multi-factor authentication, do as follows:

  1. Go to Overview > Global Settings > Multi-factor Authentication (MFA).
  2. Choose how you want admins to sign in:
    • No MFA needed.
    • All admins need MFA. This is the default for new accounts.
    • Select admins who will need MFA. This lets you select individual admins.
  3. If you choose Select admins who will need MFA, a user list is displayed. Click Add admins (on the right of the screen). Move admins to the Assigned Users list and click Add.
  4. Click Save.

When admins next sign in, they must set up a new method of authentication.

Sign in with multi-factor authentication for the first time

The first time you sign in with MFA, do as follows:
  1. At the sign-in screen, enter your user ID (email address) and password.

    A Set Up Your Login Information dialog explains that signing in needs additional authentication.

  2. In the next dialog:
    1. Enter the security code that has been sent to you in an email.
    2. Create a 4-digit PIN. This enables you to use email as an authentication method.
  3. In the next dialog, choose the authentication type.
  4. In Verify Your Device, scan the QR code and enter the security code that Sophos or Google Authenticator displays.

    You also need to enter a security code to verify a device if you have chosen SMS as your authentication type.

    Sophos Central Admin opens.

The next time you sign in, you only need to enter a code from Sophos or Google Authenticator when prompted.

Add another authentication option for multi-factor authentication

You can set up multiple authentication options for a Sophos Central Admin account.

You can authenticate with SMS, Sophos Authenticator, or Google Authenticator.

You must have an authentication option already set up.

To set up another authentication option, do as follows:

  1. Sign in to Sophos Central Admin.
  2. Click your account name and click Manage Login Settings.
  3. Click Create New Method.
  4. Choose another authentication method.
  5. Click Next.
  6. In Verify Your Device, scan the QR code and enter the security code that Sophos Authenticator or Google Authenticator displays.
  7. To confirm that the new method has been added, click your account name and click Manage Login Settings.
    An additional authentication method has been added.

Sign in with email authentication

If you don't have access to Sophos Authenticator, Google Authenticator, or SMS, you can sign in with email authentication instead.

  1. At the sign-in screen, enter the user ID (email address) and password.
  2. In Verify Your Login, click Choose Another Method.
  3. In Pick Your Challenge, click the email option.
    An email is sent to you. If you don't receive it within 5 minutes, the security code that it contains is no longer valid. To request another code, either refresh the Verify Your Login page or go back to the Pick Your Challenge page and click the email option again.
  4. Open the email and find the security code.
  5. In Verify Your Login, enter the security code and your 4-digit PIN.

You'll be asked for the security code and PIN each time you sign in from now on until you switch back to using Sophos Authenticator or Google Authenticator.

Sign in using an authenticator

Find out how to sign in to Central Admin using Sophos Authenticator or Google Authenticator.

The account you use must be enrolled in multi-factor authentication. To verify this, see Set up multi-factor authentication.

To sign in, do as follows:

  1. Sign in to Sophos Central Admin.
    The Verify Your Login pop-up appears.
    Screenshot of prompt for authenticator security code
  2. Enter the code from the authenticator and click Submit.

You're now signed in.

Reset an admin's sign-in details

If an admin replaces or loses their phone, you can allow them to set up their sign-in again.

  1. On the People page, under Users, find the user and click their name to open their details.
  2. In the user details, on the left of the screen, you'll see their MFA status and settings. Click Reset and confirm that you want to do a reset.

The next time the admin tries to sign in, they'll need to go through the setup steps again.

Turn off multi-factor authentication

If you're a Super Admin, you can turn off multi-factor authentication for an administrator.

To turn off multi-factor authentication, do as follows:

  1. Go to Overview > Global Settings > Multi-factor Authentication (MFA).
  2. Click Select admins who will need MFA.
  3. Click Add admins.
  4. Move the administrator from the Assigned Users list and to the Available Users list.
  5. Click Add.
  6. Click Save.