About AuthPoint
Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security
AuthPoint is WatchGuard's identity security and multi-factor authentication (MFA) service. With AuthPoint, you can require users to authenticate with the AuthPoint mobile app or a hardware token when they log in to a protected resource, such as a computer, VPN, or a cloud service or application.
Because AuthPoint requires users to authenticate before they log in, data in your cloud applications and services is protected.
AuthPoint uses the latest MFA methods to protect your trusted resources from unauthorized access. You can choose different authentication methods for specific user groups and applications:
- Push Notification — When you log in, AuthPoint sends a push notification to your mobile device that you approve to authenticate and log in or deny to prevent an access attempt that was not made by you
- QR Code — When you log in, you scan a QR code with the AuthPoint mobile app and use the verification code you receive to authenticate (AuthPoint uses secure QR codes that can only be decrypted by the AuthPoint mobile app)
- One-Time Password (OTP) — An OTP is a unique, temporary password available in the AuthPoint app that you use to authenticate
Users install the AuthPoint mobile app on their phone. Then, when they log in to any online service or VPN, they must authenticate with one of the methods described above.
AuthPoint includes these products:
AuthPoint Multi-Factor Authentication
AuthPoint Multi-Factor Authentication provides the security you need to protect identities, assets, accounts, and information from unauthorized access. With AuthPoint, users must authenticate when they log in to a protected resource.
AuthPoint Total Identity Security
AuthPoint Total Identity Security provides the security you need to protect identities, assets, accounts, and information from unauthorized access. It expands on the capabilities of AuthPoint Multi-Factor Authentication with Dark Web Monitoring for end-user credentials.
Throughout this documentation, AuthPoint refers generally to both products.
To learn how to set up multi-factor authentication with your Firebox and third-party applications and services, see AuthPoint Integration Guides. To test AuthPoint MFA, see AuthPoint Quick Start.
Components of AuthPoint
AuthPoint has several components:
AuthPoint Management UI
The AuthPoint management UI in WatchGuard Cloud is where you set up and manage your users, user groups, resources, external identities, and the AuthPoint Gateway. Resources are the applications that you define for use with AuthPoint. External identities connect to user databases to get user account information and validate passwords.
AuthPoint Mobile App
The AuthPoint mobile app is required for authentication. You can use the AuthPoint mobile app to view and manage your tokens, approve push notifications, get OTPs, scan QR codes, and view and manage your saved credentials. You can also enable Token Security to protect your tokens with a PIN or biometric ID.
AuthPoint Browser Extensions
The AuthPoint browser extensions are used for password management with AuthPoint Total Identity Security. You can use the AuthPoint browser extensions to save and manage your credentials in a personal password vault.
AuthPoint Gateway
The AuthPoint Gateway is a lightweight software application that you install on your network so that AuthPoint can communicate with your RADIUS clients and LDAP databases. The Gateway operates as a RADIUS server and is required for RADIUS authentication and for LDAP users to authenticate with SAML resources.
The installer for the AuthPoint Gateway is available on the Downloads page in the AuthPoint management UI.
Logon App
The Logon app is used to require authentication when users log on to a computer or server. This includes protection for RDP and RD Gateway. There are two parts to the Logon app: the agent you install on a computer or server and the resource you configure in AuthPoint.
The Logon app agents for Windows and macOS are available on the Downloads page in the AuthPoint management UI.
Agent for ADFS
With the AuthPoint ADFS agent, you can add multi-factor authentication (MFA) to ADFS for additional security. To configure MFA for ADFS, you must have the AuthPoint Gateway installed.
The installer for the ADFS agent is available on the Downloads page in the AuthPoint management UI.
Agent for RD Web
The AuthPoint agent for RD Web adds the protection of multi-factor authentication to RD Web Access. There are two parts to the AuthPoint agent for RD Web: the agent you install and the resource you configure in AuthPoint.
The installer for the RD Web agent is available on the Downloads page in the AuthPoint management UI.
AuthPoint Licenses
AuthPoint is a subscription security service. To use AuthPoint, you must activate an AuthPoint license in your WatchGuard account. The AuthPoint license determines the number of users you can configure to use AuthPoint for multi-factor authentication. When you activate your AuthPoint license key, the user licenses are added to your AuthPoint account in WatchGuard Cloud.
If you are a WatchGuard Cloud Service Provider, you can allocate AuthPoint user licenses to accounts you manage in WatchGuard Cloud.
Service Providers can activate both AuthPoint Multi-Factor Authentication and AuthPoint Total Identity Security licenses to add users to their inventory. Subscriber accounts can only have one AuthPoint product (Multi-Factor Authentication or Total Identity Security).
AuthPoint User Types
When you add local AuthPoint users to Directories and Domain Services, you choose whether the user is an MFA user or a non-MFA user.
MFA Users
MFA users are user accounts that will use AuthPoint multi-factor authentication to authenticate. This is not related to the AuthPoint Multi-Factor Authentication product.
Non-MFA Users
Non-MFA users are users that will only ever authenticate with a password, such as a service account user. Non-MFA users do not consume an AuthPoint user license and cannot authenticate to resources that require MFA. They can only authenticate to protected resources if the non-MFA user account has a password only authentication policy for that resource.
After you add a user, you can edit the user account if you need to change their account type. When you change a user account from MFA to non-MFA, AuthPoint deletes the tokens and password vault (if applicable) that belong to the user. This action cannot be undone.
AuthPoint Management UI
To set up and manage AuthPoint, you use the AuthPoint management UI in WatchGuard Cloud. To connect to WatchGuard Cloud, go to cloud.watchguard.com. Log in with your WatchGuard website credentials.
Configure AuthPoint
To configure AuthPoint, select Configure > AuthPoint. If you have a Service Provider account, you must select an account from the Account Manager menu to configure AuthPoint for that account.
The Summary page shows tiles with summary configuration information.
To configure AuthPoint settings you can click the tile title or click the Management links:
- Resources — Configure the applications and services that your users connect to.
- Groups — Configure user groups, and add access policies that specify which resources users in that group can authenticate to and which authentication methods they can use (Push, QR code, and OTP).
- Users — Manage AuthPoint users and tokens. You can create local AuthPoint users or import LDAP users from an external authentication server. Each user can only be a member of one AuthPoint group.
- External Identities — Configure the information required for AuthPoint to connect to your Active Directory or LDAP databases to get user account information and validate passwords.
- Gateway — Configure settings for the AuthPoint Gateway, a lightweight software application that you install on your network so that AuthPoint can communicate with your RADIUS clients, the AuthPoint agent for ADFS, and your Active Directory or LDAP database.
- Hardware Tokens — Import hardware tokens and associate them with users.
The items in the AuthPoint management menu are listed in the optimal order to configure them. We recommend you start at Resources, and work your way down each item in the list until your configuration is complete.
Monitor AuthPoint
Use AuthPoint dashboards and reports to monitor AuthPoint activity and status.
To monitor AuthPoint, select Monitor > AuthPoint. If you have a Service Provider account, you must select an account from the Account Manager monitor AuthPoint for that account.
In the Monitor section of the AuthPoint management UI, you can see these dashboards and reports:
- User Activity — A bar graph that shows how many times each active user has authenticated, the last time each inactive user authenticated, and how and when blocked users were blocked.
- Authentication — A bar graph that shows successful and failed authentication attempts for each user. For each attempt, a list shows the authentication date, the token that was used, the authentication method, and the resource the user authenticated to.
- Resource Activity — A bar graph of resources that shows successful and failed authentication attempts for each resource. For each attempt, a list shows which user authenticated, the authentication date, the token that was used, and the authentication method.
- Denied Push Notifications — A bar graph that shows a count of how many push notifications have been denied by users.
- Activation Activity — Shows a list of user tokens that have not yet been activated.
- Sync Activity — Shows information about the synchronization of your LDAP database if you have added an external identity.
Audit logs and notifications, available from the Administration menu, provide additional information about AuthPoint events that can be useful for troubleshooting.
See Also
Quick Start — Set Up AuthPoint