At Sophos, our mission is to provide industry-leading cybersecurity solutions that not only protect your business but also afford a simple, streamlined user experience. In line with this commitment, we are thrilled to announce that Sophos Central will support passkey authentication in early November.  

Introducing Passkey Support in Sophos Central 

As of November 7th 2024, Sophos Central will provide the option to use passkeys as a secure method of authentication. Passkeys are a form of passwordless authentication designed to provide a more robust and user-friendly experience by eliminating the need for traditional passwords. 

How do Passkeys Work and Why are they Important? 

Passkeys leverage public key cryptography to offer a high level of security while simplifying the authentication process. Users no longer need to remember complicated passwords or rely on SMS codes, which can be vulnerable to phishing attacks and other security breaches. Instead, passkeys are tied to a user’s device and require biometric identification such as fingerprint recognition, facial recognition, or PINs that are securely stored on their hardware.  

For Sophos customers and partners, adopting passkeys mean: 

  • Stronger security: Passkeys eliminate the risk of password theft and phishing attacks, ensuring that your user accounts are better protected. 
  • Streamlined experience: Users enjoy quicker, hassle-free access to their accounts without the burden of managing passwords or multi-factor authentication (MFA) codes. 

For more information about passkeys visit the FIDO Alliance website which provides in-depth explanation of the goals, principles, and technology behind passkey authentication. 

Retiring SMS and Email+PIN Multi-Factor Authentication Methods 

With the release of passkey authentication, we will also begin to phase out the older and less secure methods of multi-factor authentication (MFA), specifically SMS and Email+PIN. While these methods have served us well in the past, they no longer meet the stringent security standards that today's digital landscape requires. 

Deprecation Timeline and Key Milestones 

Starting now, we are issuing a 90-day notice period to all of our customers and partners regarding the deprecation of SMS and Email+PIN MFA methods. Here’s what you need to know: 

  • Effective immediately: New users will no longer have the option to set up SMS or Email+PIN as their 2nd factor authentication method. This change applies to all new accounts created from today onward. New users, as well as existing users who's MFA is reset, must enroll with a time-based one-time password (TOTP) authentication app, such as Google Authenticator, Microsoft Authenticator, or Authy, as a second factor. SMS and Email MFA methods that existing users have already configured will continue to function. This limitation does not impact existing users
  • February 2025: In February , we will begin actively prompting existing users who are still using SMS or Email+PIN MFA to transition to more secure alternatives. Customers and partners will have the option to migrate to either passkey authentication or TOTP authentication app MFA methods. 

We encourage our customers to begin this transition as soon as possible to take advantage of the enhanced security that passkeys provide. 

Why We Are Making These Changes 

The cybersecurity threat landscape continues to evolve, and we must continuously adapt to stay ahead. The decision to introduce passkeys and retire SMS and Email+PIN MFA methods reflects our ongoing commitment to effectively secure Sophos Central accounts, and fulfill the CISA Secure by Design Initiative pledges that we’ve made as a company. 

Please review Sophos Central Authentication documentation for details related to setting up passkeys.

If you have any questions or need assistance with migrating to passkeys or authentication apps, our support team is here to help. 

Parents
  • I agree with Jim on this one. The original concept of 2FA as: "Something you know and something you have," has been supplanted by a MICROSOFT-based initiative toward password less authentication in many forms (most of which seem to have more open vulnerabilities than the original 2FA concept inspired by RSA).

    In my experience, making something "easier," by design, makes it's less-secure.

  • Passkeys are an industry standard, not a Microsoft thing. It's supported on all the latest OSes (Windows, macOS, Android, iOS, Chrome OS, and I'm sure there are apps on Linux for it) It's like the phyiscal security keys, but uses the TPM on your PC or phone instead. There's still 2 factors, Something You Have (your device) and either Something You Are (your fingerprint/face) or Something You Know (your computer password or phone PIN). It's similar to the card readers you might get for your online banking - your debit card has a security chip inside and when you enter the code from your bank and your card PIN, it generates a code to enter into the bank website.

    SMS is the weakest form of 2FA as it can be intercepted (see a recent Veritaseum video on that if you want to know more), TOTP (Google Authenticator, etc, which Sophos are still supporting) is better, but can still fall prey to phishing a attacks with a fake 2FA screen. Passkeys protect against that as they will only ever talk to the real website, and human weaknesses aren't able to weaken the security.

Comment
  • Passkeys are an industry standard, not a Microsoft thing. It's supported on all the latest OSes (Windows, macOS, Android, iOS, Chrome OS, and I'm sure there are apps on Linux for it) It's like the phyiscal security keys, but uses the TPM on your PC or phone instead. There's still 2 factors, Something You Have (your device) and either Something You Are (your fingerprint/face) or Something You Know (your computer password or phone PIN). It's similar to the card readers you might get for your online banking - your debit card has a security chip inside and when you enter the code from your bank and your card PIN, it generates a code to enter into the bank website.

    SMS is the weakest form of 2FA as it can be intercepted (see a recent Veritaseum video on that if you want to know more), TOTP (Google Authenticator, etc, which Sophos are still supporting) is better, but can still fall prey to phishing a attacks with a fake 2FA screen. Passkeys protect against that as they will only ever talk to the real website, and human weaknesses aren't able to weaken the security.

Children
No Data