Sophos Ideas / SG UTM

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

← SG UTM

Add optional PIN entry field for two-factor authentication

There are really two big issues I have with the two factor authentication implementation. The first is that no where in the setup for the user is there any information or instruction as how to use two factor authentication. Every other two factor authentication that I have used has had a separate box for putting in the random code. I only learned about how to properly use two factor authentication after calling support and being informed that I needed to append the randomly generated code to the end of my password to which I say "Really! and you arn't going to inform the user of this anywhere!" Also the second issue I have is that there is if you set this up for the SuperUser accounts and somehow do not have access any longer to the authentication app there is no secondary recovery method outside of having another SuperAdmin account. There needs to be a recovery option such as email recovery of the authentication info when lost. Please Please Please fix this as I will have no end of user complaints on how to actually use this as its not user friendly at all!

26 votes
Sign in Sign in with: Log in with your Sophos ID
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Andrew Engel shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

2 comments

Sign in Sign in with: Log in with your Sophos ID
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Donna commented  ·   ·  Flag as inappropriate

    I would also like another window for a pin so that it is not difficult for users. Is there any plans of Sophos changing the process and asking for the pin in a separate window after they login with their credentials. It seems that this is the standard procedure for two factor authenication.

  • AdminAlan (Sr. Product Manager, Sophos Features & Ideas Laboratory) commented  ·   ·  Flag as inappropriate

    Appending the pin onto the end of the password is a fairly standard entry method, but I agree there could be some better documentation around its use.

    Keep in mind that 2fa can be enabled selectively for various users, so adding a separate pin entry field could be equally confusing for users not enabled for two factor authentication. Also, as Yes indicates, showing a separate pin field when 2fa is enabled reveals information about the security settings of the device, which is not desirable to many users. While I somewhat agree with your points, I've renamed this feature request to make the subject more descriptive, and less opinionated.

    As for locking admins being locked out of the web interface by enabling 2fa for webadmin access, there are some strategies you can use to minimize risk. First, you can currently generate a list of one-time use pins per user, that may be used if a user loses or forgets their phone. If you are using 2fa for webadmin access, I would recommend pre-generating these tokens, and storing one or two of them securely somewhere outside the UTM.
    Alternately, create a separate account, which uses a very long and random password, which does not have 2fa enabled for it, and may be used in emergencies. Finally, our knowledgebase does have options on resetting passwords in the event of a lockout. If you have direct console access to your UTM, it is possible to recover access.

SG UTM: Authentication

Categories

Feedback and Knowledge Base

(thinking…)
icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.