It took a little while to grow on me, however, having to get a text code multiple times a day, to be able to log into SOPHOS Central on my own computer is just delightful. I didn't think I'd like it at first, however, now I find myself wishing that I could be required to enter a text code every time I send an email, or do a google search. I see no reason that other 2FA systems let you trust a device so you don't need to get a text so often. They are only causing their customers to miss out on the pure joy of waiting for that text to ding in on their phone...
2FA via text message is more secure than nothing, but less secure than any other 2FA. 2FA that trusts your browser indefinitely because you once answered a single question correctly is maybe more or less secure than that. Sophos Central holds the keys to potentially hundreds of security devices that you are trusted to manage.
Why not just stay logged in to Sophos Central indefinitely? I don't think it times out, and that's probably just as secure -- and faster, since that's what matters most -- than a cookie.
What about Federated Sign In Using something like Azure AD?
Thanks for reaching out.
If you don’t wish to wait for a 2FA code to be received each time, you can also use something like Google Authenticator or the Sophos Intercept X Mobile application so that a code is ready for you to use each time you need to log in.
If you'd like to see a feature implemented that allows Sophos Central to remember your device, I suggest reaching out to your Account Manager so that your thoughts can be shared with our product teams for further consideration.
2FA is fine. However there should be an option to trust a browser or a device for at least a period of time. Perhaps a week at minimum. If I stayed logged in, indefinitely, I'd be skipping security updates by not rebooting. That's not better.
That might be handy, I'll look into that.
Waiting for a text is not the issue. Google Authenticator is no quicker. Requiring a code at every login is far too cumbersome. 2FA is necessary, and a great thing, but this is a punitive implementation of it. Security is always a balance of usability versus protection. The only way to fully protect a system is to unplug it's network connection and turn it off, however, then it serves no purpose. There should be a better balance, and trusting a device is a good way of doing it. Even just a temporary weekly, or monthly trust of a device.
Usually I'll be logged into Central all day. So I need 2FA ~1 time per day. It's OK for me. Central gives you so much power over all your machines with live response and so on, personally I would not like the idea that a hacked admin PC is trusted just by it's browser cookies or UUID. But I can understand your concern and that it's some kind of annoying to repeat this multiple times a day.