About authentication
Sophos admins can authenticate using either a username and password pair or a passkey.
Authenticating with username and password requires multi-factor authentication using a time-based one-time password (TOTP) authentication app like Google Authenticator, Microsoft Authenticator, or Authy.
Passkeys provide an easier, more secure method of logging in. They use two authentication factors: a biometric scan or device PIN and a key stored securely on the computer or mobile device. They're phishing-resistant because they can't be faked or hijacked, and they're secure from your computer to the cloud. Passkeys only need a single action, such as pressing a finger on a fingerprint reader, to authenticate the user to the service.
When users enroll, they're asked to set a password, and set up at least one TOTP authenticator app. later on, admins can add passkey authentication methods in Sophos Central.
Deprecated authentication methods
Multi-factor authentication methods based on SMS text or on email-plus-PIN are now deprecated. New users enrolling in Sophos Central must use a TOTP authenticator app or passkey to authenticate.
If an existing user who uses SMS text or email-plus-PIN authentication has their multi-factor authentication methods reset, they're considered a new user. This means they must use a TOTP authenticator app or passkey to authenticate.