SOPHOS Central MFA using DUO as MFA authenticator

Hi Francis,

No, this is not helpful. I’ve read quite a bit of the MFA documentation provided by SOPHOS including the link you provided, which is why I opened the support ticket. I’m asking you or someone from your team to confirm that SOPHOS Central can use the DUO authenticator service for ‘push notifications’. This is a YES or NO answer but I’m unable to find this in the SOPHOS documentation.

If the answer is NO, then I’m asking you or someone from your team to confirm that SOPHOS Central can use the DUO authenticator phone app to provide ‘Time-based One Time Security Codes’ to be keyed into the SOPHOS Central login screen for MFA access.

Would you please check with your team or the next level support for answers to these questions. Once you have answers to these questions, I would also appreciate links to the documentation that supports the answers you provided.

Thanks.

Shaun Walter

e: swalter@esmsolutions.com

esmsolutions.com

Hi,

As per further checking, currently, we don't support Duo authentication on our Sophos central. You may refer to this link

Thanks for confirming the current status of DUO support in SOPHOS. Do you know if this is on the roadmap to be added to SOPHOS Central in the near future? 

Please forward my request to add this feature as soon as possible. I'm securing over a dozen services with MFA and asking my users to install 3 different authentication apps to their phone with 3-5 different secured services per app is not sustainable. And having to select a single secured service out of 13 across 3 phone apps is slow, frustrating and unnecessary when push notification is available. 

Thanks. 

Yes, DUO support might be added to the road map for Sophos Central. At the moment, we don't have a timeline for this one.

Been using DUO on central for 3 months now with no hiccups.  

Jeff, thanks for this response. Based on your experience I will give it a try and see if it works for me also. Did you have any difficulty in getting this working?  

Stand by for an update. Much appreciated. 

Jeff, thanks for this response. Based on your experience I will give it a try and see if it works for me also. Did you have any difficulty in getting this working?  

Stand by for an update. Much appreciated. 

No issues getting it working.

Jeff, you're right. I got MFA enabled in SOPHOS Central with DUO authenticator just fine. No problems.

After using the super admin account to enable MFA for my personal admin account in SOPHOS Central, I logged in to my personal admin account, entered the security code sent to my email inbox and chose a 4-digit PIN as requested. For Authentication Type, only "SMS Text Message" and "Sophos/Google Authenticator" options are listed. To use DUO authenticator, select "Sophos/Google Authenticator". Using the DUO authenticator phone app, scan the QR code and then  save the entry on the DUO authenticator phone app. Then enter the security code for the new entry from your phone into the SECURITY CODE field in the SOPHOS dialog box and give the Phone device a name "DUO on {your name} phone". Once more I was prompted to enter the security code from the DUO authenticator app on my phone to the SOPHOS dialog box and that completed the process.

It seems that choosing "Sophos/Google Authenticator" in SOPHOS allows you to use DUO authenticator (or possibly other authenticator phone apps) as long as the phone authenticator app is Time-based One Time Passcode based.

Thanks for the suggestion. Much appreciated. 

DUO supports a time based OTP (TOTP), which works fine. But commonly known, people reference to the "push" service MFA as DUO. This is not supported: Send me a push notification in DUO, which i can accept to get a logging to Central.

But the TOTP part should work fine for those services.