Enable MFA for WatchGuard Cloud Operators

By default, operators use a password for authentication when they log in to WatchGuard Cloud. For increased security, you can enable multi-factor authentication (MFA) for an operator account. WatchGuard Cloud uses AuthPoint, WatchGuard's multi-factor authentication service, for MFA. When MFA is enabled for an operator account, the operator continues to log in to WatchGuard Cloud with their user name and password, but must also authenticate with their token A token is used to identify you and associate you with a device in the AuthPoint mobile app.

Operators with the Owner or Administrator role can enable MFA for any operator in their WatchGuard Cloud account or an account that they manage. All operators can enable and disable MFA for their own WatchGuard Cloud operator account, unless an operator with the Owner or Administrator role enabled MFA on the account.

To manage MFA for your account operators, you can:

• Enable MFA for a WatchGuard Cloud Operator Account
• Resend an MFA Token Activation Email Message
• Install the AuthPoint Mobile App
• Use the AuthPoint App to Authenticate
• Authenticate Without a Mobile Device
• Move an AuthPoint Token to Another Device
• Disable MFA for a WatchGuard Cloud Operator Account

For some administrative actions related to MFA for a WatchGuard operator account, you or the operator must contact WatchGuard Customer Care:

• Send a new token activation email if they delete the token on their current mobile device or if their mobile device is replaced and they cannot migrate their token.
• Add a new token to their account for an additional mobile device.
• Enable temporary access to their account if they do not have access to their mobile device.
• Unblock a token.

An AuthPoint license is not required to enable MFA for WatchGuard Cloud operators. WatchGuard provides a free token for MFA with WatchGuard Cloud.

Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Configure Operators permission to view or configure this feature. This permission is only available for Owner and Administrator roles. For more information, go to Manage WatchGuard Cloud Operators and Roles.

Enable MFA for a WatchGuard Cloud Operator Account

After you enable MFA, WatchGuard sends an activation email to the email address associated with the operator account. The email contains a link to activate a new AuthPoint token on their mobile device.

Only an operator with the Owner or Administrator role can enable MFA for an operator account.

To enable MFA for an operator:

1. Log in to WatchGuard Cloud.
2. Select Administration > Operators and Roles.
   The Operators and Roles page opens.

The MFA column shows operators with MFA enabled or disabled. Operator Status and Last Login columns only show in the list for tier-1 Service Provider and tier-1 Subscriber accounts.

3. On the Operators page, next to the operator you want to enable MFA for, click .
4. Select Enable MFA.
   The Confirm Email Address dialog box opens.

5. Click Confirm Email.

If the same email address is associated with more than one user account in the WatchGuard Cloud, you can enable MFA for only one of those accounts.

Resend an MFA Token Activation Email Message

If an operator does receive the activation email and cannot find it, or if the activation link expires, you can resend it.

To resend an MFA token activation email message to an operator:

1. Log in to WatchGuard Cloud.
2. Select Administration > Operators and Roles.
   
   The Operators and Roles page opens.
   
3. On the Operators page, next to the operator, click .
4. Select Resend Token Activation Email.
5. In the confirmation dialog box, click Resend Email.

Install the AuthPoint Mobile App

To use MFA to authenticate with WatchGuard Cloud, operators must install the AuthPoint mobile app on a mobile device. The WatchGuard AuthPoint app is available for free from the Apple App Store or Google Play. After an operator installs the AuthPoint app, they can activate their token.

To activate a token:

1. Open the activation email and click the activation link.
   The Welcome to AuthPoint page opens, with an Activate link and a QR code.

2. Activate the token:
   • If the page opened on a mobile device, tap the Activate button. This opens the AuthPoint app and activates the token.
   • If the page opened on a computer, the operator opens the AuthPoint app on their phone and taps Activate, then points the camera on the mobile device at the QR code on the computer screen. This activates the token.

   If the operator has already activated a token, they must tap to open the QR code reader.

Use the AuthPoint App to Authenticate

To log in to WatchGuard Cloud when MFA is enabled:

1. Go to cloud.watchguard.com.
2. Type your user name and password. Click Log in.
   You are prompted to authenticate.
3. Select an authentication method and use the AuthPoint app to authenticate. You can select one of these authentication methods:

Push

With this method, an AuthPoint notification appears on your mobile device. On the push notification that AuthPoint sends to your mobile device, tap Approve to authenticate and log in.

One-Time Password

With this method, the AuthPoint app generates a unique, temporary password you must provide in addition to your WatchGuard Cloud password to authenticate and log in. In the One-Time Password text box, type the OTP shown for your token in the AuthPoint app.

QR Code

With this method, you use the AuthPoint app and the camera on your mobile device to read a QR code. Then you type a 6-digit verification code to authenticate and log in.

For more information about these authentication methods, go to About Authentication.

Authenticate Without a Mobile Device

If an operator forgets their mobile device at home, or does not have access to it for some other reason, WatchGuard Customer Care can allow the operator to log in without their mobile device for a limited amount of time.

Operators can follow these steps if they do not have access to the mobile device they use for authentication:

1. Go to cloud.watchguard.com and log in.
   You are prompted to authenticate.
2. From the Sign-in Options section, click Forgot Token.
   The Forgot Token page opens, with an activation code.
3. Contact WatchGuard Customer Care and tell them that you do not have access to your mobile device.
4. Provide WatchGuard Customer Care with the activation code.
5. Type the Period (Hours) and Verification Code values that your Service Provider gives to you.
6. Click Finish.

After you finish and validate the Period and Verification Code values, you are logged in. Multi-factor authentication is disabled for the time period specified by WatchGuard Customer Care. For the specified amount of time, you can log in with only your user name and password.

Move an AuthPoint Token to Another Device

If an operator gets a new mobile device, they can migrate their AuthPoint token from their old device to the new one. When an operator migrates a token, AuthPoint deletes the token from their current mobile device and the operator receives an activation email to activate the token on a new device.

To migrate an AuthPoint token:

1. On your old mobile device, open the AuthPoint mobile app.

   If an operator loses their mobile device, or deletes their token, the operator can disable and re-enable MFA for their operator account. When the operator enables MFA again, WatchGuard sends an activation email to the email address associated with the operator account to activate a new token.

2. Next to your token, tap (Android) or (iOS) and select Migrate Token.
3. When prompted to continue, tap Yes.
   Your token is deleted and you receive an activation email you can use to activate the token on a new device.
4. Install the AuthPoint mobile app on your new mobile device.
5. Open the activation email and activate your token on the new mobile device.

Disable MFA for a WatchGuard Cloud Operator Account

You can disable MFA for an operator account if they no longer want to use multi-factor authentication when they log in to WatchGuard Cloud. If the operator enabled MFA for their own account, they can disable it as well.

If an operator with the Owner or Administrator role enabled MFA for an operator account, only another operator with the Owner or Administrator role can disable MFA.

To disable MFA for an operator account:

1. Log in to WatchGuard Cloud.
2. Select Administration > Operators and Roles.

3. On the Operators page, next to the operator you want to disable MFA for, click .
4. Select Disable MFA.
   The Disable MFA dialog box opens.

5. Click Disable MFA.

Related Topics

Manage WatchGuard Cloud Operators and Roles

Add Operators to Your Account

Add Operators to Managed Accounts

See My Account Information

Manage Custom Operator Roles