2FA Missing on Quarantine Website

Hello there,

Thank you for contacting the Sophos Community.

I will contact our PM team about this and get back to you by Monday, 29 End of the day.

Regards,

Thank you Emmanuel!!

Hello, 

PM mentioned that 2FA for the Self-Service Portal is coming in Q4 this year, as it’s currently under development.

Regards,

Thank you for the update Emmanuel! I wish there was some way the SEA's EOL would last until this happened. Unfortunately, we will have to switch vendors since the SEA ends in July and before 2FA is implemented.

Thank you for researching this!

John

So if the SSO requires 2FA that doesn't count? If I could deliver it quicker I would be unfortunately that is out of my control. I cannot extend the EOL of SEA beyond the currently listed date. 

Hi Tom,

Thank you for your help and comments! SSO helps simplify the sign-in process where as 2FA is a security process. So SSO isn't a replacement for 2FA. I definitely understand your constraints, and I am sure you appreciate mine. I would prefer that we stay with Sophos for email filtering. I was hoping we could use our XG's email capability, but it is not as advanced as the SEA or EM. I would appreciate any recommendations for a replacement.

John

Hi Tom,

Thank you for your help and comments! SSO helps simplify the sign-in process where as 2FA is a security process. So SSO isn't a replacement for 2FA. I definitely understand your constraints, and I am sure you appreciate mine. I would prefer that we stay with Sophos for email filtering. I was hoping we could use our XG's email capability, but it is not as advanced as the SEA or EM. I would appreciate any recommendations for a replacement.

John

John, I just spoke with the Product Manager for Central and they have MFA scheduled to be delivered Q4 of this year for multiple areas of the product. I'd say Sept/Oct timeframe. I understand if you can't wait that long but just wanted to let you know.

Tom,

Thank you for the update. I am thinking about purchasing the advanced email filter for our XG and using it until MFA is ready. Unfortunately, the advanced is still less robust on email than the lower end SG. :/ 

One more ask of the PM...IP restrict login for the quarantine site. Frankly, if it had that, we wouldn't need all the MFA business.

John

What’s the point of being a cloud system if users can’t access it from the cloud? You want users to have to vpn into a corporate network just to access a quarantine? I’m old school but the cloud is here! ZTNA and other controls protect resources. 

I don’t control the XG products so not the expert on its capabilities. 

I hear ya, but our business model and clientele base require utmost security and privacy. When we go to a board meeting and first question asked if we are in the cloud and we say no...huge plus for us. Except for our backup with is encrypted by SafeGuard, also going away, and another FIPS 140-2 method, everything else is kept on site. The number of times that we hear people and businesses being hacked in the O365 Cloud, no way we could risk that. Plus cyber insurance is going to force everything out of the cloud or make it to painful to work in the cloud. So why go to the cloud. Sure, businesses that don't have a need for information security will be fine in the cloud, but those of us that require that, no way. A quarter of our clients are actively moving their data back to onsite. It 's a trade off of risk. The onsite known vs the cloud unknown. Plus...it many cases it is cheaper once all cost are considered.

Sounds like debates I had 7-10+ years ago lol...even the US Govt is moving to the cloud, GovCloud and other FedRAMP services. As for CyberInsurance we work with some Insurance companies. I wouldn't say being on premise prevents the business from being hacked and sure you wouldn't either. Mailbox compromise doesn't care where the server sits, cloud, premise. I've run corporate systems onsite and in the cloud and while companies may bring some services back in house they cannot sustain inhouse for all services, well unless they are not doing payroll, insurance, 401k, travel, salesforce etc.... thanks for the discussion...

We know we can be hacked on-site, but it is about a trade off of risk. Ultimately, we do what our clients want and our cyber security insurance policy prices the cloud out.

Thank you for your comments too.

Good morning Tom,

Do you know if this is still on schedule?

Thank you,

John

Last I spoke with the Central Product Management team (2 weeks ago) it was on schedule for Q4 of this year. If I hear otherwise I will post.

Thank you.