At Sophos, our mission is to provide industry-leading cybersecurity solutions that not only protect your business but also afford a simple, streamlined user experience. In line with this commitment, we are thrilled to announce that Sophos Central will support passkey authentication in early November.  

Introducing Passkey Support in Sophos Central 

Within the next few business days, Sophos Central will provide the option to use passkeys as a secure method of authentication. Passkeys are a form of passwordless authentication designed to provide a more robust and user-friendly experience by eliminating the need for traditional passwords. 

How do Passkeys Work and Why are they Important? 

Passkeys leverage public key cryptography to offer a high level of security while simplifying the authentication process. Users no longer need to remember complicated passwords or rely on SMS codes, which can be vulnerable to phishing attacks and other security breaches. Instead, passkeys are tied to a user’s device and require biometric identification such as fingerprint recognition, facial recognition, or PINs that are securely stored on their hardware.  

For Sophos customers and partners, adopting passkeys mean: 

  • Stronger security: Passkeys eliminate the risk of password theft and phishing attacks, ensuring that your user accounts are better protected. 
  • Streamlined experience: Users enjoy quicker, hassle-free access to their accounts without the burden of managing passwords or multi-factor authentication (MFA) codes. 

For more information about passkeys visit the FIDO Alliance website which provides in-depth explanation of the goals, principles, and technology behind passkey authentication. 

Retiring SMS and Email+PIN Multi-Factor Authentication Methods 

With the release of passkey authentication, we will also begin to phase out the older and less secure methods of multi-factor authentication (MFA), specifically SMS and Email+PIN. While these methods have served us well in the past, they no longer meet the stringent security standards that today's digital landscape requires. 

Deprecation Timeline and Key Milestones 

Starting now, we are issuing a 90-day notice period to all of our customers and partners regarding the deprecation of SMS and Email+PIN MFA methods. Here’s what you need to know: 

  • Effective immediately: New users will no longer have the option to set up SMS or Email+PIN as their 2nd factor authentication method. This change applies to all new accounts created from today onward. New users, as well as existing users who's MFA is reset, must enroll with a time-based one-time password (TOTP) authentication app, such as Google Authenticator, Microsoft Authenticator, or Authy, as a second factor. SMS and Email MFA methods that existing users have already configured will continue to function. This limitation does not impact existing users
  • February 2025: In February , we will begin actively prompting existing users who are still using SMS or Email+PIN MFA to transition to more secure alternatives. Customers and partners will have the option to migrate to either passkey authentication or TOTP authentication app MFA methods. 

We encourage our customers to begin this transition as soon as possible to take advantage of the enhanced security that passkeys provide. 

Why We Are Making These Changes 

The cybersecurity threat landscape continues to evolve, and we must continuously adapt to stay ahead. The decision to introduce passkeys and retire SMS and Email+PIN MFA methods reflects our ongoing commitment to effectively secure Sophos Central accounts, and fulfill the CISA Secure by Design Initiative pledges that we’ve made as a company. 

If you have any questions or need assistance with migrating to passkeys or authentication apps, our support team is here to help.