Monday I was unable to get into my SOPHOS Central account. My code was not being delivered to my cellphone via SMS. I tried for hours... and no success. I needed to get in to make an adjust my Endpoint policies.
This has happened once before, and I had to call into customer care. The only way customer care was able to solve this issue last time this happened was to reset my my MFA. After they did that... and I re-enrolled, SMS immediately started working again. So the SMS issue was on the SOPHOS side.
Monday(yesterday)... I called in, just like the time before, and customer care did the same thing(reset my MFA enrollment), only this time I can't re-enroll SMS. It has been disabled.
So it gets escalated and I'm told by a senior that "SMS is fully functional for admins who have that configured as their primary method". Mine was not fully functional(or functional at all)... and the last time it stopped working, resetting my MFA enrollment is what fixed it. However... the senior ALSO said that "new enrollments" cannot have SMS set up.
So here's the scheme...
SOPHOS wants to eliminate SMS MFA. They want to pretend they are not forcing existing customers off it(because that would be negatively received), so, they say "SMS is fully functional for admins who have that configured as their primary method". However they then break SMS for those customers that are using it (without telling them), requiring a reset of MFA Enrollment to fix it... and then they tell you afterwards, that "new enrollments" cannot have SMS set up. Very clever and underhanded.
Now why would SOPHOS want to get rid of SMS???
- One reason is due it's "susceptibility to phishing". A scammer can call me or text me to ask for my Authenticator Code too, so that's no different. I'm responsible for my level of risk I wish to take, and for my level of knowledge of scams... that's my job to manage, not SOPHOS. SOPHOS' job is to give me a flexible tool let me run my business my way.
- Another reason they gave me is that "there was an incident of SMS pumping attacks which was the reason why the SMS MFA is removed as an authentication method". You don't have to research very far to find many methods SOPHOS could employ to mitigate SMS pumping, and you'd think if there was a security company that could could negate an SMS pumping issue like this, SOPHOS would be the one, however... it seems that they are either not interested, not able, or both.
So they say you can keep your SMS if you already have it... then they break it so you need a MFA Re-Enrollment to fix it, and then they say you can't have it back. Real nice.
Whatever you think about SMS MFA... this is underhanded behavior. And it's old hat too, as SOPHOS continues to tell their professional customer base, "We know what's best for you, and how you should run your network" and "We will tell you how we will allow you to do things after we take your money, and we'll change the product afterwards to be less functional and feature rich than it was when you bought it, without notice, and causing you downtime".
We don't need a babysitter SOPHOS. We need a product that is feature-rich, that allows US, your network\technical customer base, to manage and run our networks the way WE want to. Not the way YOU think we should.
