Enable MFA for WatchGuard Cloud Operators

Some of the features described in this topic are only available to participants in the WatchGuard Cloud Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.

By default, operators use a password for authentication when they log in to WatchGuard Cloud. For increased security, you can enable multi-factor authentication (MFA) for an operator account. WatchGuard Cloud uses AuthPoint, WatchGuard's multi-factor authentication service, for MFA. When MFA is enabled for an operator account, the operator continues to log in to WatchGuard Cloud with their user name and password, but must also authenticate with their token in the AuthPoint mobile app.

Operators with the Owner or Administrator role can enable MFA for any operator in their WatchGuard Cloud account or an account that they manage. They can also enable MFA for all operators in their account. Operators can enable and disable MFA for their own WatchGuard Cloud operator account, unless an operator with the Owner or Administrator role enabled MFA on the account.

To manage MFA for your account operators, you can:

For some administrative actions related to MFA for a WatchGuard operator account, you or the operator must contact WatchGuard Customer Care:

  • Send a new token activation email if they delete the token on their current mobile device or if their mobile device is replaced and they cannot migrate their token.
  • Add a new token to their account for an additional mobile device.
  • Enable temporary access to their account if they do not have access to their mobile device.
  • Unblock a token.

An AuthPoint license is not required to enable MFA for WatchGuard Cloud operators. WatchGuard provides a free token for MFA with WatchGuard Cloud.

Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Configure Operators permission to view or configure this feature. This permission is only available for Owner and Administrator roles. For more information, go to Manage WatchGuard Cloud Operators and Roles.

Enable MFA for a WatchGuard Cloud Operator Account

After you enable MFA, WatchGuard sends an activation email to the email address associated with the operator account. The email contains a link to activate a new AuthPoint token on their mobile device.

Only an operator with the Owner or Administrator role can enable MFA for an operator account.

To enable MFA for an operator:

  1. Log in to WatchGuard Cloud.
  2. Select Administration > Operators and Roles.
    The Operators and Roles page opens.

Screen shot of WatchGuard Cloud My Account page

The MFA column shows operators with MFA enabled or disabled. Operator Status and Last Login columns only show in the list for tier-1 Service Provider and tier-1 Subscriber accounts.

  1. On the Operators page, next to the operator you want to enable MFA for, click .
  2. Select Enable MFA.
    The Confirm Email Address dialog box opens.

Screen shot of the confirm email address for mfa dialog box

  1. Click Confirm Email.
  2. If the same email address is associated with more than one user account in the WatchGuard Cloud, you can enable MFA for only one of those accounts.

Enable Account-Level MFA

When you enable MFA at the account-level, WatchGuard enables MFA for all operators in your account and sends an activation email to the email address associated with each operator in the account. The email contains a link to activate a new AuthPoint token on their mobile device.

Before you enable account-level MFA, review this information:

  • Each operator must have a unique email address. If an operator in your account has an email address that is assigned to an operator in another account with MFA enabled, you must update the operator with a unique email address or disable MFA for the operator with the duplicate email address.
  • With account-level MFA enabled, only an operator with the Owner or Administrator role can disable MFA for their own user account.

Only an operator with the Owner or Administrator role can enable account-level MFA.

To enable MFA for all operators in your account:

  1. Log in to WatchGuard Cloud.
  2. Select Administration > Operators and Roles.
    The Operators and Roles page opens.

Screen shot of WatchGuard Cloud My Account page

The MFA column shows operators with MFA enabled or disabled. Operator Status and Last Login columns only show in the list for tier-1 Service Provider and tier-1 Subscriber accounts.

  1. On the Operators page, enable Multi-Factor Authentication (MFA) for All Operators.

If MFA is not enabled for one or more operators, you can find the details in Administration > System > Audit Logs.

Resend an MFA Token Activation Email Message

If an operator does receive the activation email and cannot find it, or if the activation link expires, you can resend it.

To resend an MFA token activation email message to an operator:

  1. Log in to WatchGuard Cloud.
  2. Select Administration > Operators and Roles.

    The Operators and Roles page opens.
  3. On the Operators page, next to the operator, click .
  4. Select Resend Token Activation Email.
  5. In the confirmation dialog box, click Resend Email.

Install the AuthPoint Mobile App

To use MFA to authenticate with WatchGuard Cloud, operators must install the AuthPoint mobile app on a mobile device. The WatchGuard AuthPoint app is available for free from the Apple App Store or Google Play. After an operator installs the AuthPoint app, they can activate their token.

To activate a token:

  1. Open the activation email and click the activation link.
    The Welcome to AuthPoint page opens, with an Activate link and a QR code.

  1. Activate the token:
    • If the page opened on a mobile device, tap the Activate button. This opens the AuthPoint app and activates the token.
    • If the page opened on a computer, the operator opens the AuthPoint app on their phone and taps Activate, then points the camera on the mobile device at the QR code on the computer screen. This activates the token.

    If the operator has already activated a token, they must tap QR Code Icon to open the QR code reader.

Use the AuthPoint App to Authenticate

To log in to WatchGuard Cloud when MFA is enabled:

  1. Go to cloud.watchguard.com.
  2. Type your user name and password. Click Log in.
    You are prompted to authenticate.
  3. Select an authentication method and use the AuthPoint app to authenticate. You can select one of these authentication methods:

Push

With this method, an AuthPoint notification appears on your mobile device. On the push notification that AuthPoint sends to your mobile device, tap Approve to authenticate and log in.

One-Time Password

With this method, the AuthPoint app generates a unique, temporary password you must provide in addition to your WatchGuard Cloud password to authenticate and log in. In the One-Time Password text box, type the OTP shown for your token in the AuthPoint app.

QR Code

With this method, you use the AuthPoint app and the camera on your mobile device to read a QR code. Then you type a 6-digit verification code to authenticate and log in.

For more information about these authentication methods, go to About Authentication.

Authenticate Without a Mobile Device

If an operator forgets their mobile device at home, or does not have access to it for some other reason, WatchGuard Customer Care can allow the operator to log in without their mobile device for a limited amount of time.

Operators can follow these steps if they do not have access to the mobile device they use for authentication:

  1. Go to cloud.watchguard.com and log in.
    You are prompted to authenticate.
  2. From the Sign-in Options section, click Forgot Token.
    The Forgot Token page opens, with an activation code.
  3. Contact WatchGuard Customer Care and tell them that you do not have access to your mobile device.
  4. Provide WatchGuard Customer Care with the activation code.
  5. Type the Period (Hours) and Verification Code values that your Service Provider gives to you.
  6. Click Finish.

After you finish and validate the Period and Verification Code values, you are logged in. Multi-factor authentication is disabled for the time period specified by WatchGuard Customer Care. For the specified amount of time, you can log in with only your user name and password.

Move an AuthPoint Token to Another Device

If an operator gets a new mobile device, they can migrate their AuthPoint token from their old device to the new one. When an operator migrates a token, AuthPoint deletes the token from their current mobile device and the operator receives an activation email to activate the token on a new device.

To migrate an AuthPoint token:

  1. On your old mobile device, open the AuthPoint mobile app.

    If an operator loses their mobile device, or deletes their token, the operator can disable and re-enable MFA for their operator account. When the operator enables MFA again, WatchGuard sends an activation email to the email address associated with the operator account to activate a new token.

  2. Next to your token, tap (Android) or (iOS) and select Migrate Token.
  3. When prompted to continue, tap Yes.
    Your token is deleted and you receive an activation email you can use to activate the token on a new device.
  4. Install the AuthPoint mobile app on your new mobile device.
  5. Open the activation email and activate your token on the new mobile device.

Disable MFA for a WatchGuard Cloud Operator Account

You can disable MFA for an operator account if they no longer want to use multi-factor authentication when they log in to WatchGuard Cloud. If the operator enabled MFA for their own account, they can disable it as well.

When you disable MFA for an operator, account-level MFA is also disabled if it was previously enabled.

If an operator with the Owner or Administrator role enabled MFA for an operator account, only another operator with the Owner or Administrator role can disable MFA.

To disable MFA for an operator account:

  1. Log in to WatchGuard Cloud.
  2. Select Administration > Operators and Roles.

Screen shot of WatchGuard Cloud My Account page

  1. On the Operators page, next to the operator you want to disable MFA for, click .
  2. Select Disable MFA.
    The Disable MFA dialog box opens.

Screen shot of the Disable MFA confirmation dialog box

  1. Click Disable MFA.

Disable Account-Level MFA

When you disable account-level MFA, you can also disable MFA for all existing operators.

Only an operator with the Owner or Administrator role can disable account-level MFA.

To disable account-level MFA:

  1. Log in to WatchGuard Cloud.
  2. Select Administration > Operators and Roles.
    The Operators and Roles page opens.
  3. On the Operators page, disable Multi-Factor Authentication (MFA) for All Operators.
    A confirmation dialog box opens.
  4. Screen shot of the Disable Account-Level MFA confirmation dialog box

  5. To disable MFA for all existing operators, select the Disable MFA for Existing Operators check box.
  6. Click OK.

If you do not select the Disable MFA for Existing Operators check box, and click OK to continue, account-level MFA is disabled but existing operators retain their MFA status.

Related Topics

Manage WatchGuard Cloud Operators and Roles

Add Operators to Your Account

Add Operators to Managed Accounts

See My Account Information

Manage Custom Operator Roles