Multi-factor authentication

You can use multi-factor authentication in Sophos Enterprise Console.

For each Sophos Enterprise Console administrator we recommend that you use multi-factor authentication and set it up as follows to get the best security.

Note We recommend that you create a recovery account during installation and assign the Multi-factor authentication role to this account. You should only use this account for recovery.

For each administrator:

  • Create a non-administrative account. The administrator must use this account to access Sophos Enterprise Console.
  • Add this account to the Sophos Console Administrators and DCOM Users groups.
  • Add this account to a role and a sub-estate in Manage Roles and Sub-Estates. You can also add this account to the Sophos Full Administrators Windows local group.
  • Enroll this account in multi-factor authentication in Sophos Enterprise Console.

Additionally, remove all administrators (members of Administrators and or Domain Administrators groups) from the Sophos Console Administrators group.

Note Make sure there is at least one administrator who has the Role-based administration and the Multi-factor authentication rights.

Multi-factor authentication administration dialog

If you have the Multi-factor authentication role you can see which administrators have been enrolled in Multi-factor authentication. Administrators that appear in the list have been enrolled at least once.

You can turn on, turn off or reset multi-factor authentication for an administrator using the buttons below the list. Click on an administrator to do this.

You can also right-click on an administrator to bring up a context menu with the same options.