Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 1499 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Separate MFA field for admin portal login

J_87586

Hello,

I use a password manager, 1Password, to fill my login credentials for the Sophos Firewall admin login page. I have MFA enabled for the admin users, which requires me to add an MFA code each time I login. This is great, and as expected. However, the MFA code is added to the password field, following the password. This is causing several issues as follows:

  • No visual indicator that I need to add the MFA code, which means I need to remember that for this login page I need to do something special. This is not great UX, I should not need to remember that I need to put an MFA code in a special place in the password field, so sometimes I forget, and it takes me longer to login.
    • Due to changes in SFOS 20.0.1 MR-1-Build342 I will be blocked after two failed logins, which will certainly happen due to the point above.
  • The 1Password, password manager, determines that I am changing my password every time I login with a new string in the password field. This is good, expected behaviour on every single other login page, but is absolutely maddening on the Sophos Firewall page because I am not changing my password.

I have scoured for the config setting to change this, to have a third separate field on the login page for the MFA code, but I cannot find how to do it.

How are you managing this? Do you also find this frustrating?

If the option for a third, separate, field for the OTP/MFA/2FA does not currently exist, could such an option be added as a feature request?

Sophos Firewall Admin Login page with username and password fields, but no OTP code field.

Image 1. Sophos Firewall Admin Login page with username and password fields, but no OTP code field.



This thread was automatically locked due to age.
  • 0

    I would recommend to look into Entra ID Integration. 

    This essentially solves this need, as it redirects you to Entra. Entra ID will do the Authentication with you. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    LuCar, not everyone is keen to use any sort of cloud ID provider, etc. (most of my customers are not, for example).  Raphael, I recommend bringing this up with your reseller so they can put in a feature request, etc.  You can also try creating a feature request via Sophos Support.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to LuCar Toni

    Hi , I appreciate the quick reply. As you're a consummate expert on the Firewall, and didn't suggest a config change, I'll assume that their is no way to achieve what we're looking for within the system currently. It looked like a method existed for the Connect client, so I was hopeful that some method exsited for the portal pages.

    We'll certainly look into your suggestion regarding EntraID as a method work around this minor UX deficiency.

  • 0 in reply to BrucekConvergent

    Hello, . Indeed, vetting, licensing, and implementing another solution to remediate a minor UX issue with a current platform is a bit of an ask. Probably not worth the resources on our end, and apparently not worth the resources on Sophos's end.

  • 0 in reply to LuCar Toni

    Hi again, . It looks like a great solution, much better than the authentication on the Sophos Firewall, but I checked-out pricing, and it's cost prohibative as a solution for this poor UX alone. Hopefully we'll get it down the line if another project can justify the resources... it would essentially double our current annual spend with Microsoft.

  • 0 in reply to J_87586

    You do not need to have a specific license for Entra ID.

    Entra ID in the free version can be used. Only if you want the enhanced features like Management of MFA etc. you need an extra license. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    OK, this is great news. I'll have to dig a little deeper with Microsoft to see how to achieve this.

Unfiltered HTML