OTP / 2FA for built-in Admin User

Hi LHerzog: The above link/old thread is not true now, from V18.5 MR2 onwards we have OTP for the in-built Admin user as well. Authentication Enhancements section of release notes (of V18.5 MR-2) confirms the same.

Can you make it so we can get the 16 character secret code in addition to the QR code? We use a documentation system for passwords and it cannot read a QR code

same here: need to add the secret to our password documentation. admin cannot login to userportal where normal users can see their secrets.

same here: need to add the secret to our password documentation. admin cannot login to userportal where normal users can see their secrets.

a colleague scanned a Sophos OTP with a 3rd party App

like https://www.google.com/search?q=Microsoft+Lens+qr+code

and he could extract the Hex code from the other app and import it into password documentation.

It's up to everyone to decide how safe it is to scan private keys into 3rd party apps. Best would be for Sophos to improve the admin 2FA OTP process. The job is not fully done yet, compared to normal user 2FA.

And other brands support 2FA for SSH, too.

Well, you don't even need that. You can the 16 character code from looking at the HTML code. It's just not convenient.

The REAL issue I have is with how the login is implemented. Why do you have to append the OTP code to the end of the password? I have never seen any other login page that works this way. Are there any plans to design a proper login with a separate OTP field?

you don't know if the user that connects has OTP enabled or not. So why showing an OTP field if one may not need it.

I would agree that it makes sense to show such, if you enable this checkbox in the middle:

btw: nice thing that you found it on the source code!