At Sophos, our mission is to provide industry-leading cybersecurity solutions that not only protect your business but also afford a simple, streamlined user experience. In line with this commitment, we are thrilled to announce that Sophos Central will support passkey authentication in early November.  

Introducing Passkey Support in Sophos Central 

As of November 7th 2024, Sophos Central will provide the option to use passkeys as a secure method of authentication. Passkeys are a form of passwordless authentication designed to provide a more robust and user-friendly experience by eliminating the need for traditional passwords. 

How do Passkeys Work and Why are they Important? 

Passkeys leverage public key cryptography to offer a high level of security while simplifying the authentication process. Users no longer need to remember complicated passwords or rely on SMS codes, which can be vulnerable to phishing attacks and other security breaches. Instead, passkeys are tied to a user’s device and require biometric identification such as fingerprint recognition, facial recognition, or PINs that are securely stored on their hardware.  

For Sophos customers and partners, adopting passkeys mean: 

  • Stronger security: Passkeys eliminate the risk of password theft and phishing attacks, ensuring that your user accounts are better protected. 
  • Streamlined experience: Users enjoy quicker, hassle-free access to their accounts without the burden of managing passwords or multi-factor authentication (MFA) codes. 

For more information about passkeys visit the FIDO Alliance website which provides in-depth explanation of the goals, principles, and technology behind passkey authentication. 

Retiring SMS and Email+PIN Multi-Factor Authentication Methods 

With the release of passkey authentication, we will also begin to phase out the older and less secure methods of multi-factor authentication (MFA), specifically SMS and Email+PIN. While these methods have served us well in the past, they no longer meet the stringent security standards that today's digital landscape requires. 

Deprecation Timeline and Key Milestones 

Starting now, we are issuing a 90-day notice period to all of our customers and partners regarding the deprecation of SMS and Email+PIN MFA methods. Here’s what you need to know: 

  • Effective immediately: New users will no longer have the option to set up SMS or Email+PIN as their 2nd factor authentication method. This change applies to all new accounts created from today onward. New users, as well as existing users who's MFA is reset, must enroll with a time-based one-time password (TOTP) authentication app, such as Google Authenticator, Microsoft Authenticator, or Authy, as a second factor. SMS and Email MFA methods that existing users have already configured will continue to function. This limitation does not impact existing users
  • February 2025: In February , we will begin actively prompting existing users who are still using SMS or Email+PIN MFA to transition to more secure alternatives. Customers and partners will have the option to migrate to either passkey authentication or TOTP authentication app MFA methods. 
  • May 1 2025SMS and Email+PIN MFA will no longer be supported. Admins who are still using these methods will be required to reconfigure to passkey authentication or TOTP authentication app MFA methods upon login. 

We encourage our customers to begin this transition as soon as possible to take advantage of the enhanced security that passkeys provide. 

Why We Are Making These Changes 

The cybersecurity threat landscape continues to evolve, and we must continuously adapt to stay ahead. The decision to introduce passkeys and retire SMS and Email+PIN MFA methods reflects our ongoing commitment to effectively secure Sophos Central accounts, and fulfill the CISA Secure by Design Initiative pledges that we’ve made as a company. 

Please review Sophos Central Authentication documentation for details related to setting up passkeys.

If you have any questions or need assistance with migrating to passkeys or authentication apps, our support team is here to help. 

Parents
  • Using Passkey with a Linux Desktop is a step backwards compared to previous MFA methods. This is because in practice I have to enter two passwords the first for the common login and the the second to enable access to the passkey mechanism. But since both are entered on the same device, and there is only one factor "knowledge" this is less secure compared to for example OTP. So there isn't much protection against a local running malware ... 

Comment
  • Using Passkey with a Linux Desktop is a step backwards compared to previous MFA methods. This is because in practice I have to enter two passwords the first for the common login and the the second to enable access to the passkey mechanism. But since both are entered on the same device, and there is only one factor "knowledge" this is less secure compared to for example OTP. So there isn't much protection against a local running malware ... 

Children
  • Passkey is indeed a 2 factor auth method. Authentication requires something you know / are, a password / biometric for your chosen authenticator, and something you have, the authenticator itself (securely maintaining the private key part of the passkey).

    Passkeys are more secure than passwords + 2fa with the primary security benefits being that they are not phishable or susceptible to credential stuffing attacks. 

    If you've selected passkey auth, you no longer have to enter a Central account password. If this is what you are experiencing, please open a case with our support team. They can help. 

  • As Jonathan_jesse already pointed out, the second factor is possession of your Linux machine. A person who knows your password trying to access the Sophos site from another machine will not have access because they lack that second factor. Just as possession of the OTP token is a second factor (which is really possession of the cryptographic seed for the number generator) possession of the Linux laptop (actually the cryptographic key stored on it) is the second factor of the passkey. Just because the verification of that passkey key doesn't require interaction from you doesn't mean it is not happening.