About authentication
Sophos admins can authenticate using either a username and password pair or a passkey.
Authenticating with username and password requires multi-factor authentication using a time-based one-time password (TOTP) authentication app like Google Authenticator, Microsoft Authenticator, or Authy.
Passkeys provide an easier, more secure method of logging in. They use two authentication factors: a biometric scan or device PIN and a key stored securely on the computer or mobile device. They're phishing-resistant because they can't be faked or hijacked, and they're secure from your computer to the cloud. Passkeys only need a single action, such as pressing a finger on a fingerprint reader, to authenticate the user to the service.
When users enroll, they're asked to set a password, and set up at least one TOTP authenticator app. later on, admins can add passkey authentication methods in Sophos Central.
You can watch the following video for help on enrolling and using passkeys on Windows and macOS, configuring your multi-factor authentication (MFA), and setting up cross-device passkeys.
Deprecated authentication methods
Multi-factor authentication methods based on SMS text or on email-plus-PIN are now deprecated. New users enrolling in Sophos Central must use a TOTP authenticator app or passkey to authenticate.
If an existing user who uses SMS text or email-plus-PIN authentication has their multi-factor authentication methods reset, they're considered a new user. This means they must use a TOTP authenticator app or passkey to authenticate.
Failed sign-in attempts
Sophos Central enforces a lock-out policy for failed sign-in attempts. Your account will be temporarily locked after five consecutive incorrect sign-in attempts. The lockout initially lasts one minute and gradually increases to a maximum of five hours if you make further incorrect sign-in attempts with the same account. You can contact Sophos Support to unlock your account. See Sophos Support.