It seems Sophos have dropped the ball with MFA.
I have recently moved to a new phone and tried to sign into Sophos, today, and discovered that the MFA account for my Sophos ID has not migrated. This is fair enough for obvious security reasons. However, I have spent several hours, today, trying to find out what the hell is going on with MFA for Sophos IDs. I was/am not able to find any reference to MFA settings in my Sophos ID profile, at all. I have not been able to find any usable documentation, KB articles or even forum articles that might shed some light on what's going on. I have found the official "Sophos Central Admin: Multi-Factor Authentication Landing Page". However, it seems that half of the articles linked to, in this article, regarding MFA, are missing from the target document.
Chatting with someone at Sophos, using their Web site Chat only resulted in a URL to an article on how to migrate Google Authenticator to a new device. I am using Sophos Authenticator. I was also provided with a link to the support portal...
So, I called support... The front line support person was largely unaware of what is going on and was not able to enlighten me as to what is going on or where to get further assistance, other than telling me that I should have called them to ask for MFA to be reset! So, I asked for MFA to be reset. They were then unable to tell me how to proceed to log in to reconfigure my MFA. I was not able to log in at all because on entering my username and password I was told that my credentials were wrong. So, after beating my head against the front line support person's inability to adequately complete this process, I eventually got them to escalate the case to a manager.
Within several minutes of talking to the manager, I was told that The back end systems team were in the process (for some time now) of changing the MFA systems integration and had simply removed the MFA integration in their live site all together, until whatever they are working on is fixed/implemented. I was also told that the reason I was not able to sign in to my account was not because the username and password was wrong but was because this error is what you get when trying to sign in to Sophos using Safari. I was only using Safari because the front line support person and I had agreed that using another browser would be a good idea, in case of browser cache issues contributions to the issues.
On moving back to Google Chrome I was able to sign in, using my usual credentials and reconfigure my MFA.
How can we take Sophos seriously, as a security company, when they are able to so spectacularly screw up something so fundamental as their own authentication systems, for their ID systems?