Add optional PIN entry field for two-factor authentication
There are really two big issues I have with the two factor authentication implementation. The first is that no where in the setup for the user is there any information or instruction as how to use two factor authentication. Every other two factor authentication that I have used has had a separate box for putting in the random code. I only learned about how to properly use two factor authentication after calling support and being informed that I needed to append the randomly generated code to the end of my password to which I say "Really! and you arn't going to inform the user of this anywhere!" Also the second issue I have is that there is if you set this up for the SuperUser accounts and somehow do not have access any longer to the authentication app there is no secondary recovery method outside of having another SuperAdmin account. There needs to be a recovery option such as email recovery of the authentication info when lost. Please Please Please fix this as I will have no end of user complaints on how to actually use this as its not user friendly at all!
I would also like another window for a pin so that it is not difficult for users. Is there any plans of Sophos changing the process and asking for the pin in a separate window after they login with their credentials. It seems that this is the standard procedure for two factor authenication.
Appending the pin onto the end of the password is a fairly standard entry method, but I agree there could be some better documentation around its use.
Keep in mind that 2fa can be enabled selectively for various users, so adding a separate pin entry field could be equally confusing for users not enabled for two factor authentication. Also, as Yes indicates, showing a separate pin field when 2fa is enabled reveals information about the security settings of the device, which is not desirable to many users. While I somewhat agree with your points, I've renamed this feature request to make the subject more descriptive, and less opinionated.
As for locking admins being locked out of the web interface by enabling 2fa for webadmin access, there are some strategies you can use to minimize risk. First, you can currently generate a list of one-time use pins per user, that may be used if a user loses or forgets their phone. If you are using 2fa for webadmin access, I would recommend pre-generating these tokens, and storing one or two of them securely somewhere outside the UTM.
Alternately, create a separate account, which uses a very long and random password, which does not have 2fa enabled for it, and may be used in emergencies. Finally, our knowledgebase does have options on resetting passwords in the event of a lockout. If you have direct console access to your UTM, it is possible to recover access.