Block a User or Token
Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security
There are two ways to prevent authentication:
- Block a User — The user cannot authenticate with any of their WatchGuard tokens on any of their mobile devices
- Block a Token — The user cannot authenticate with that token, but can still authenticate with other active tokens
If a WatchGuard Cloud-hosted AuthPoint user authenticates with an incorrect password more than ten consecutive times, AuthPoint automatically blocks the user account. This only applies to WatchGuard Cloud-hosted users that come from the WatchGuard Cloud Directory, not AuthPoint users synced from an external identity. You can change the number of consecutive times a user can authenticate with an incorrect password before the user is blocked on the Settings page.
If a user fails three consecutive authentication attempts, AuthPoint automatically blocks the token used for authentication. The user cannot authenticate with the blocked token until an AuthPoint administrator unblocks the token. You can change the number of consecutive times a user can fail to successfully authenticate before a token is blocked on the Settings page.
AuthPoint considers authentications that do not have a valid response to be failed authentication attempts. This includes incorrect one-time passwords, incorrect verification codes for QR code authentication, and push notifications that are not valid.
AuthPoint does not consider denied push notifications to be failed authentication attempts.
On the Users page, the User Name and Token columns show the status of the user account and that user's tokens. You can see if a user or token is active or blocked.
User Status | Definition |
---|---|
Activated |
The user account is activated and can authenticate with any active tokens |
Quarantined |
The LDAP synced user account cannot authenticate because the LDAP user was moved or deleted |
Blocked |
The user cannot authenticate with any WatchGuard tokens on any of their mobile devices and cannot log in to their password vault |
Token Status | Definition |
---|---|
Activated |
The token is activated and can be used for authentication |
Blocked |
The token is blocked and the user cannot authenticate with that token (they can still authenticate with other active tokens) |
Block a User
A blocked user cannot authenticate with any of their WatchGuard tokens on any of their mobile devices. The general use case for this action is to completely block a user account when the user has been offboarded or if they may be compromised in some way.
When you block a user account, that does not affect third-party tokens that user has imported to the AuthPoint mobile app. A blocked user can still use their third-party tokens, such as Google Authenticator, to authenticate with third-party resources.
A blocked user account cannot log in to their password vault.
To block a user:
- From the navigation menu, select Users.
- In the relevant user row, click and select Block User.
- Click Yes.
The status icon next to the user name turns red to indicate that the user is blocked.
The user is now blocked and cannot authenticate with any of their WatchGuard tokens on any of their mobile devices.
When a user is blocked, the status icon next to their tokens is still listed as activated. The status icon for a token only changes when you block a specific token.
Activate a Blocked User
To activate a blocked user:
- From the navigation menu, select Users.
- In the relevant user row, click and select Activate User.
- Click Yes.
The status icon next to the user name turns green to indicate that the user is activated.
The user is returned to the activated status and can authenticate with any of their unblocked WatchGuard tokens on any of their mobile devices.
Block or Unblock a Token
When you change the status of a token to blocked, the user cannot authenticate with that token, but can still authenticate with any other active tokens they have. The status icon next to each token in the Token column indicates whether the token is activated or blocked.
The general use case for this action is to prevent authentication from a specific mobile device that a token is activated on. For example, if a user loses their phone you could block the token that is activated on that device to prevent unauthorized access. This way, if the user has an active token on another device, they can still authenticate with that token.
In general, it is best practice to block a token first before you delete it. You can always change the status of a blocked token back to activated, but a deleted token cannot be restored. If you delete a token, you must create a new token for the user.
An end-user must have at least one active token in the AuthPoint mobile app to log in to their password vault on that device.
The steps to block a hardware token and a mobile token are the same.
To block or unblock a token:
- From the navigation menu, select Users.
- In the Token column, click the token to block or unblock.
- In the Token Management window, click Block Token or Activate Token. The option you see depends on the token status.
The status of the user's token is changed. If the token was activated, it becomes blocked and the user cannot authenticate with that token. If the token was blocked, it becomes activated and can be used for authentication.