Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.
The aim of this Recommended Read is to demonstrate the following
Under CONFIGURE > Authentication > Multi-factor authentication, then select the following
To get the Multi-factor code, access the "UserPortal" page, then log in with the user account that was used in the previous step.Upon Login, you’ll receive a QR code that needs to be scan by the User's Authenticator.
Kindly see the reference for a List of 3rd-Pary Authenticators
Note: Sophos Authenticator reached the End of Life (EOL) on July 31, 2022. Users must use another authenticator application, such as the authenticator feature of Sophos Intercept X, Google Authenticator, or any other third-party application.
On Playstore, search for the application – “Sophos Intercept X for Mobile” and install
Once installed, open the application and swipe from left to right. You’ll see the first option:“ Authenticator.” Click Authenticator, and on the bottom right, you’ll have the option to add > Scan QR code > on the user portal QR code page
*For Apple Devices, Kindly download on AppStore and Install
Once Scanned, it will immediately generate 6-digit pin, as displayed in screenshot below:And then click Proceed to login option on the top left on the user portal page:Login with your credentials, and on the password follow with the 6-digit pin displayed on your authenticator app, as illustrated in the screenshot below:
You’ll be logged into the user portal:You can also check Issued tokens under the MFA section > Issued tokens
considering the following settings: #Default token timestep - 30s -->> Meaning this is a token/OTP validity before it regenerates on your Sophos, G-Auth or Microsoft authenticator. #Maximum verification code offset - 3 -->> timesteps an earlier or later verification code remains valid. For example, if you specify a value of 3 and the timestep is 30 seconds, the client can use any passcode from the previous 90 seconds or the subsequent 90 seconds as long as the code wasn’t already used. [Number of passcodes outside of defined timestep that will be accepted] #Maximum initial verification code offset: - 10.>> The maximum number of timesteps by which the clock of a token can drift between clients and server for the first sign-in only. This means if you set 10 steps, you'll restrict the clock of a token to drift no more than 10 seconds between two logins.
In the first authentication process, the token will be out of sync in an extreme way. Here admin can configure how many offset passcodes can be accepted. After successful authentication, the offset is aligned, which means that the next passcode of the token will be in-sync.
I hope this article has helped you achieve your requirement and clarified your doubts!