Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

2FA Missing on Quarantine Website

We currently use SEA on-premise and restrict the quarantine site to local IPs. I tested the cloud version, but it does not have 2FA on the quarantine site. SSO does not count as 2FA. Both our government regulatory and cyber insurance company have said we cannot use the cloud version since 2FA is not implemented on the quarantine site. Does Sophos plan to put 2FA on the quarantine site? From a security perspective, I am surprised this is not in place. Also restricting login by IP would be great too.

Thank you,


This thread was automatically locked due to age.
Parents Reply Children
  • Hello, 

    PM mentioned that 2FA for the Self-Service Portal is coming in Q4 this year, as it’s currently under development.


    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Thank you for the update Emmanuel! I wish there was some way the SEA's EOL would last until this happened. Unfortunately, we will have to switch vendors since the SEA ends in July and before 2FA is implemented.

    Thank you for researching this!


  • So if the SSO requires 2FA that doesn't count? If I could deliver it quicker I would be unfortunately that is out of my control. I cannot extend the EOL of SEA beyond the currently listed date. 

  • Hi Tom,

    Thank you for your help and comments! SSO helps simplify the sign-in process where as 2FA is a security process. So SSO isn't a replacement for 2FA. I definitely understand your constraints, and I am sure you appreciate mine. I would prefer that we stay with Sophos for email filtering. I was hoping we could use our XG's email capability, but it is not as advanced as the SEA or EM. I would appreciate any recommendations for a replacement.


  • John, I just spoke with the Product Manager for Central and they have MFA scheduled to be delivered Q4 of this year for multiple areas of the product. I'd say Sept/Oct timeframe. I understand if you can't wait that long but just wanted to let you know.

  • Tom,

    Thank you for the update. I am thinking about purchasing the advanced email filter for our XG and using it until MFA is ready. Unfortunately, the advanced is still less robust on email than the lower end SG. :/ 

    One more ask of the PM...IP restrict login for the quarantine site. Frankly, if it had that, we wouldn't need all the MFA business.


  • What’s the point of being a cloud system if users can’t access it from the cloud? You want users to have to vpn into a corporate network just to access a quarantine? I’m old school but the cloud is here! ZTNA and other controls protect resources. 

    I don’t control the XG products so not the expert on its capabilities. 

  • I hear ya, but our business model and clientele base require utmost security and privacy. When we go to a board meeting and first question asked if we are in the cloud and we say no...huge plus for us. Except for our backup with is encrypted by SafeGuard, also going away, and another FIPS 140-2 method, everything else is kept on site. The number of times that we hear people and businesses being hacked in the O365 Cloud, no way we could risk that. Plus cyber insurance is going to force everything out of the cloud or make it to painful to work in the cloud. So why go to the cloud. Sure, businesses that don't have a need for information security will be fine in the cloud, but those of us that require that, no way. A quarter of our clients are actively moving their data back to onsite. It 's a trade off of risk. The onsite known vs the cloud unknown. many cases it is cheaper once all cost are considered.

  • Sounds like debates I had 7-10+ years ago lol...even the US Govt is moving to the cloud, GovCloud and other FedRAMP services. As for CyberInsurance we work with some Insurance companies. I wouldn't say being on premise prevents the business from being hacked and sure you wouldn't either. Mailbox compromise doesn't care where the server sits, cloud, premise. I've run corporate systems onsite and in the cloud and while companies may bring some services back in house they cannot sustain inhouse for all services, well unless they are not doing payroll, insurance, 401k, travel, salesforce etc.... thanks for the discussion...

  • We know we can be hacked on-site, but it is about a trade off of risk. Ultimately, we do what our clients want and our cyber security insurance policy prices the cloud out.

    Thank you for your comments too.