With the growing threat of external attacks aimed at compromising privileged accounts, Multi-Factor Authentication (MFA) provides a critical layer of security to significantly reduce the chances of a security breach. MFA ensures that only authorized users and administrators can gain access to mission-critical accounts, computers, and other sensitive resources, even in the event where an attacker gains access to a password.
Note: New MFA messaging is displayed in the Central dashboard.
This knowledge base article outlines the importance of MFA and covers some of the various factors that can be used.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Central Sophos XG Firewall Sophos UTM
While Sophos highlights the benefits of having a strong password, we also highly recommend pairing strong passwords with MFA as it's an important tool that drastically decreases the risk of identity fraud.
When a machine is compromised, there is potential for sensitive information such as passwords to be leaked. This also introduces the additional risk of hackers accessing privileged accounts and exposing the entire network to attacks.
For Sophos Central customers, turning on MFA can be done by following the steps in Sophos Central Admin: How to enroll in Multi-Factor Authentication. For other Sophos products such as UTM and XG Firewall, take a look at the knowledge base articles Sophos UTM: Two-factor authentication with Duo Security and Sophos XG Firewall: How to configure one-time password (OTP).
MFA mitigates this threat by providing an additional layer of protection, as users are only able to authenticate after successfully providing two or more authentication elements, thus preventing would-be hackers.
There are different types of MFA systems, but methods usually include the user's password along with the additional factor of:
Users are prompted to enter an additional numeric code after first authenticating with their username and password. This code is sent to their mobile device as a text message (SMS).
Software-based that is usually implemented through the use of mobile device applications.
Authenticator applications perform the same type of service like SMS, but instead of login codes being sent through text, they are generated locally on the user's smartphone or tablet. This type of authentication relies on cryptographic algorithms for time-based one-time passwords (TOTP).
Instead of users being prompted to input a code, a login notification request will be sent to their mobile device. Users will only be able to successfully login after approving this request.
Benefits for both of these methods include:
This factor is similar, in that it prompts users to provide a login code. However, the code is generated on a dedicated physical device that is separate from a user's computer, phone, or tablet.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.