Skip to content

Multi-factor authentication

Sophos Central admins must sign in with multi-factor authentication.

Using multi-factor authentication (MFA) means that admins must use another form of authentication in addition to their username and password. Sophos Central guides admins through MFA setup the first time they sign in.

Admins can use a Time-based One-time Password (TOTP) app such as Authy, MS Authenticator, or Google Authenticator as a second factor. SMS texts or email are also available as second-factor authentication methods.

We strongly recommend using TOTP as a second factor. TOTP is recommended over SMS texts and email due to their security vulnerabilities and susceptibility to phishing.

Note

SMS isn't available as an authentication method in Sophos Central trial accounts.

This page tells you how to do the following:

  • Sign in with multi-factor authentication for the first time.
  • Add another method for multi-factor authentication.
  • Sign in with a TOTP authenticator app.
  • Sign in with email authentication.
  • Reset an admin's sign-in details, for example, if they lose their phone.

Sign in with multi-factor authentication for the first time

The first time you sign in with MFA, do as follows:

  1. At the sign-in screen, enter your user ID (email address) and password.

    A Set Up Your Login Information dialog explains that signing in needs additional authentication.

  2. In the next dialog:

    1. Enter the security code that has been sent to you in an email.
    2. Create a 6-digit PIN. This enables you to use email as an authentication method.
  3. In the next dialog, choose the authentication type.

    If you want to use text messages, don't enter the leading 0 for the mobile number.

  4. In Verify Your Device, scan the QR code and enter the security code that the TOTP authenticator app displays.

    You also need to enter a security code to verify a device if you've chosen SMS as your authentication type.

    Sophos Central Admin opens.

The next time you sign in, you only need to enter a code from the TOTP authenticator app when prompted.

Add another authentication option for multi-factor authentication

You can set up multiple authentication options for a Sophos Central Admin account.

You can authenticate with a TOTP authenticator app or SMS texts.

You must have an authentication option already set up.

To set up another authentication option, do as follows:

  1. Sign in to Sophos Central Admin.
  2. Click your account name and click Manage Login Settings.
  3. Click Create New Method.
  4. Choose another authentication method.

    If you want to use text messages, don't enter the leading 0 for the mobile number.

  5. Click Next.

  6. In Verify Your Device, scan the QR code and enter the security code that the TOTP authenticator app displays.
  7. To confirm that the new method has been added, click your account name and click Manage Login Settings. An additional authentication method has been added.

Note

If you want to change your MFA method, you'll be asked to enter a security code before proceeding. Depending on your authentication type, you may receive a security code from us by text message, or you must generate one using the authenticator app on your mobile device. See My Info.

Sign in using a TOTP authenticator app

Find out how to sign in to Central Admin using a TOTP authenticator app such as Authy, Google Authenticator, or MS Authenticator.

The account you use must be enrolled in multi-factor authentication.

To sign in, do as follows:

  1. Sign in to Sophos Central Admin. The Verify Your Login pop-up appears.

    Screenshot of prompt for authenticator security code.

  2. Enter the code from the authenticator and click Submit.

You're now signed in.

Sign in with email authentication

We strongly recommend using TOTP as a second factor rather than email. TOTP is recommended over email due to email's security vulnerabilities and susceptibility to phishing.

If you don't have access to a TOTP authenticator app or SMS texts, you can sign in with email authentication instead.

  1. At the sign-in screen, enter the user ID (email address) and password.
  2. In Verify Your Login, click Choose Another Method.
  3. In Pick Your Challenge, click the email option. An email is sent to you. If you don't receive it within 5 minutes, the security code that it contains is no longer valid. To request another code, either refresh the Verify Your Login page or go back to the Pick Your Challenge page and click the email option again.
  4. Open the email and find the security code.
  5. In Verify Your Login, enter the security code and your 6-digit PIN.

You'll be asked for the security code and PIN each time you sign in from now on until you switch back to using a TOTP authenticator app.

Reset an admin's sign-in details

If an admin replaces or loses their phone, you can allow them to set up their sign-in again.

Note

You must be a Super Admin to use this feature.

  1. On the People page, under Users, find the user and click their name to open their details.
  2. In the user details on the left of the screen, you see their MFA status and settings. Click Reset and confirm that you want to do a reset.

The next time the admin tries to sign in, they'll need to go through the setup steps again.

Multi-factor authentication lockout policy

Sophos Central enforces an incorrect MFA lockout policy. The first lockout lasts for 1 minute. If you make further attempts to sign in with an incorrect password, the lockout becomes longer each time, eventually reaching five hours.

You can reset an admin's MFA settings when their account gets locked, or you can contact Sophos Support. See Sophos Support.