The most straightforward method for XG/XGS users. You enable TOTP directly on the firewall user database. The user scans a QR code via an authenticator app, and Sophos Connect prompts for the "Password + OTP" in a single field (e.g., MyPassword123456 ).
For organizations already using Microsoft 365 or Okta, you can route Sophos Connect authentication through a RADIUS server (like NPS with Azure MFA Extension). The user enters their primary password; the RADIUS server then triggers a second-factor "Approve" push to their phone. sophos connect mfa
: Protects against credential theft and brute-force attacks. The most straightforward method for XG/XGS users
Pro tip: Enable for trusted devices (where security policy allows) to reduce MFA prompts to once every 7-30 days. sophos connect mfa