I had a problem logging into Sophos Central as my authenticator code would not be accepted and I was blocked for 30 minutes. This has worked normally upto this week. I am not sure at which date exactly I last logged in succesfully, but normally it is weekly.
I contacted Sophos Support and the answer was to wait for the 30 minutes to pass and try again. I tried again but this time I clicked Change MFA method and noticed I had 4 options:
- Sophos/Google Authenticator
- Sophos/Google Authentiator
- Email my email adress
- Phone and model
The authenticator code that works is the Phone and model one. So I removed the 2 Sophos/Google Authenticator entries and now I can login normally.
I contacted Sophos Support again with the question where these double Sophos/Google Authenticator came from and with the question if my credentials where compromised. According to Sophos my credentials were not compromised, but I know I did not add additional MFA authenticator apps to my login without specifying a name (which gives Sophos/Google Authenticator as default name) so I asked for an explanation.
Changed my password and MFA
I have not heard from Sophos Support yet.
Anyone else had similar issues recently?
I checked the audit log and somehow the MFA event ID only occurred yesterday. Logs are only kept for 2 months and don’t have Originating IP adresses or other useful forensic data.
I received a rather strange answer from Sophos Support: “For my understanding, the two authenticators were just added for you to be informed that there are other MFA methods you can choose from aside from your first two preferences.”
Now what is she saying that Sophos added two additional One-Time-Passowrds secret keys to my MFA methods without informing me of them?
i don’t think that is logical. I personally have a feeling that they are left over MFA keys from older phones I used in the past and that were replaced during a phone migration to a newer model. As the default somehow always was the latest added, i never noticed or ran into a problem. Somehow that default was changed yesterday after which I was entering the wrong MFA code not corresponding with the MFA default Sophos was now using as default. i do not believe that someone with access to my computer (has screen lock) would have added the 2 MFA keys as that also requires the password to login.
Thank you for reaching community forum. By any chance, ill you be able to provide the case ID if there's any? I'm not aware of any automatic adding of the authenticator method, so we may need to further check on this internally if any changes are being made on the backend.
The case is 05692033. I believe that support is mistaken, that it are left over MFAs of previous smart phones I used and over the years accumulated when moving to a new phone. The problem probably arose due to a change in the default order of the MFA methods. I am hard pressed believing that the account was somehow compromised.
Sadly enough the logs don't show enough data.