Multi-factor authentication
If you're a Super Admin, you can make some or all of the Sophos Central admins sign in with multi-factor authentication.
Introduction
Using multi-factor authentication means that admins must use another form of authentication, and their username and password.
Admins can use Sophos Authenticator, Google Authenticator, SMS, or email authentication to sign in.
Multi-factor authentication is turned on by default for newly created Sophos Central accounts.
This page tells you how to do the following:
- Set up multi-factor authentication.
- Sign in with multi-factor authentication for the first time.
- Add another method for multi-factor authentication.
- Sign in with email authentication if you don't have Sophos Authenticator or Google Authenticator.
- Reset an admin's sign-in details, for example, if they lose their phone.
- Turn off multi-factor authentication for an admin.
Set up multi-factor authentication
If you're a Super Admin, you can choose how your administrators sign in.
To set up multi-factor authentication, do as follows:
- Go to .
-
Choose how you want admins to sign in:
- No MFA needed.
- All admins need MFA. This is the default for new accounts.
- Select admins who will need MFA. This lets you select individual admins.
- If you choose Select admins who will need MFA, a user list is displayed. Click Add admins (on the right of the screen). Move admins to the Assigned Users list and click Add.
- Click Save.
When admins next sign in, they must set up a new method of authentication.
Sign in with multi-factor authentication for the first time
The next time you sign in, you only need to enter a code from Sophos or Google Authenticator when prompted.
Add another authentication option for multi-factor authentication
You can set up multiple authentication options for a Sophos Central Admin account.
You can authenticate with SMS, Sophos Authenticator, or Google Authenticator.
You must have an authentication option already set up.
To set up another authentication option, do as follows:
Sign in with email authentication
If you don't have access to Sophos Authenticator, Google Authenticator, or SMS, you can sign in with email authentication instead.
You'll be asked for the security code and PIN each time you sign in from now on until you switch back to using Sophos Authenticator or Google Authenticator.
Sign in using an authenticator
Find out how to sign in to Central Admin using Sophos Authenticator or Google Authenticator.
The account you use must be enrolled in multi-factor authentication. To verify this, see Set up multi-factor authentication.
To sign in, do as follows:
You're now signed in.
Reset an admin's sign-in details
If an admin replaces or loses their phone, you can allow them to set up their sign-in again.
- On the People page, under Users, find the user and click their name to open their details.
- In the user details, on the left of the screen, you'll see their MFA status and settings. Click Reset and confirm that you want to do a reset.
The next time the admin tries to sign in, they'll need to go through the setup steps again.
Turn off multi-factor authentication
If you're a Super Admin, you can turn off multi-factor authentication for an administrator.
To turn off multi-factor authentication, do as follows:
- Go to .
- Click Select admins who will need MFA.
- Click Add admins.
- Move the administrator from the Assigned Users list and to the Available Users list.
- Click Add.
- Click Save.