Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=modern-authentication-register-two-methods

Sophos Central MFA Requirements

Sophos Central administrators must register at least two multi-factor authentication (MFA) methods to reduce the risk of account lockout if one authentication method or device becomes unavailable. Sophos Central administrators will be challenged for MFA every time they sign in. Either of the two registered methods can be used to respond to this challenge.

Sophos Central supports the following MFA methods:

  • Passkeys
  • Authenticator apps that generate time-based one-time passwords (TOTP)

Registering multiple MFA methods

Modern MFA methods are typically linked to a device you control. If that device is lost, replaced, damaged, unavailable, or reset, you may not be able to sign in. Registering more than one MFA method ensures that you have an alternative method available. This helps you maintain access during device changes, resets, and other routine updates.

Supported MFA methods

Passkeys use cryptographic authentication linked to your account and device. They can be unlocked using a biometric scan or device PIN. Passkeys are resistant to phishing and do not rely on codes that can be intercepted. Examples of supported passkey platforms include iCloud Keychain, Google Password Manager, Windows Hello, and supported hardware security keys.

Authenticator apps generate time-based one-time passcodes on an enrolled device. They provide an additional authentication method that can be used as a primary method or as a backup to a passkey.

You must register two MFA methods when prompted. Where possible, use methods that do not depend on a single device. Recommended combinations include the following:

  • One passkey and one authenticator app.
  • Two passkeys on different devices or device ecosystems.
  • Two authenticator app enrollments, where appropriate.

Choose a setup that balances security, convenience, and recovery options.

If you lose access to your MFA methods

If you can't sign in because you no longer have access to your registered MFA methods, contact your Super Admin or Partner Super Admin. They can help reset your MFA methods.

Video

You can watch the following video for help on enrolling and using passkeys on Windows and macOS, configuring your multi-factor authentication (MFA), and setting up cross-device passkeys.