Microsoft Entra External Authentication Methods Beta for AuthPoint MFA

WatchGuard has detected global SSL VPN brute-force activities causing excessive volume of unknown user authentication attempts to the AuthPoint authentication service. The service disruptions during the month of October 2024 resulted in service degradation and led to some customers and partners experiencing failed, timed-out, or intermittent authentication sessions. The brute-force activities are not directly targeting AuthPoint and have not resulted in a breach of WatchGuard services. 

The threat actor(s) appear to be using random or common credentials and passwords, which suggests that it is not a targeted campaign, but rather the lowest form of credential and password harvesting. These techniques seek to exploit customers using common, default usernames or passwords to gain entry.  

All the unknown user/unauthorized authentication attempts go through on-premises systems such as RADIUS, SSL VPN and Firewalls to the AuthPoint authentication services across all regions (Americas, EMEA and APAC).  Additionally, we are observing an increase in unknown user traffic from WatchGuard Fireboxes with direct integrations to AuthPoint services. 

WatchGuard observed global SSL VPN credential and authentication brute-force activities earlier in the year as well, however the volume on 2024 October 20-22 significantly increased in scale. We previously released a Knowledge Base Article with information and best practices for dealing with brute-force disruptions, and it has been updated based on the latest activities.

Are there actions that partners and customers should implement to reduce service disruptions? 
As mentioned above, the Knowledge Base Article provides best practices that Firebox administrators can implement to mitigate the unknown user and unauthorized authentication attempts from Fireboxes, including enabling Botnet Detection with our latest update. If your third-party systems support authentication traffic throttling or autoblocking of IP addresses after multiple failed authentication attempts, we recommend you enable it.  

What are we doing to address the service disruption to AuthPoint? 
WatchGuard has scaled-up additional instances and continues to monitor AuthPoint infrastructure services to mitigate service disruption. Specifically, on-call teams are continuously monitoring production services across all regions, improving our self-healing and recovery tooling, and enabled RADIUS-based authentication throttling across all regions. 

WatchGuard also released an updated threat intelligence package to our Firebox Botnet Detection service that has begun to block known source IP addresses. If you manage a Firebox and have the SSL/VPN portal exposed to the Internet, we strongly recommend that you enable Botnet Detection and obtain the updated package.  

What are we doing in support to address the service disruptions? 
 WatchGuard Support has also been diligently responding to customer cases as spikes in volume have increased in the past 48-72 hours. Support personnel are actively assisting customers and partners with excessive volume of unknown users and authentication requests from one or more of their on-premises services.  

Customers with Fireboxes and/or third-party systems should enable Botnet Detection, disable SSL VPN portal from external access, enable geolocation restrictions and set connection rate limits as outlined in this Knowledge Base Article, which will be updated as more guidance becomes available. 

When was this brute-force activity first discovered? 
Throughout 2024, the industry has seen various SSL VPN and brute-force security advisories have been issued starting in February and again in April. However, this specific service disruption started temporarily on Sunday October 20th, but then restarted on Monday, October 21st. 

What’s Next? 
WatchGuard continues to monitor the brute-force activities and the impact on our services, and we will continue to update our Status page with new relevant information. 

We're writing to inform you about some upcoming changes to AuthPoint Total Identity Security. These changes are designed to better align with our strategic direction, market trends and provide you with the most effective identity security solutions.

End of Password Manager and Dark Web Scan

Effective October 1, 2024, the Password Manager feature (including the corporate and private vault app and browser extensions) will no longer be included in AuthPoint Total Identity Security. Additionally, WatchGuard Dark Web Scan will no longer be available for free, nor part of AuthPoint or from WatchGuard Cloud.

Our Commitment to You

We understand that these changes may impact your current workflow. To ensure a smooth transition, we'll continue to provide product support for Dark Web Scan until March 31, 2025, and for Password Manager until September 30, 2025.

New Features to Come

While we're discontinuing these features, we're excited to work on a new, enhanced Dark Web Credential Monitoring service. This service will leverage a powerful third-party intelligence source to provide you with even more comprehensive protection against threats.

Need Assistance?

Contact our customer support team. We're here to help you navigate these changes and ensure a seamless experience.

The AuthPoint Team

We are thrilled to announce the launch of the newest version of our AuthPoint Logon Agent for Mac (version 2.0)! This release has great new features that make securing your macOS devices easier and more robust than ever. Here’s what’s new:

• Enhanced User Experience

We’ve completely overhauled the user experience to make the MFA process smoother and more intuitive. The new interface is designed to be more user-friendly, with a streamlined authentication.

• Fingerprint Authentication as a First Factor

In this version, we’ve introduced support for fingerprint authentication as the first factor. Now, logging into your macOS device is faster, more secure, and more convenient. 

• MFA for Privilege Escalation

Security doesn’t stop at login. With the new version, we’ve added MFA for privilege escalation. Now, when a user needs to elevate their privileges—such as executing commands with admin rights or accessing sensitive system settings—MFA is required. 

While we’re excited about these new enhancements, we want to remind you that all the powerful features from previous versions are still at your fingertips:

• Offline Mode MFA: Even when you’re offline, your security doesn’t have to be. Continue using MFA in offline mode with QR codes or One-Time Passwords (OTP), ensuring you’re protected no matter where you are.
• Forgot Token? No Problem: We know things happen, which is why we’ve retained the option for users to temporarily access their accounts without a token. This feature is perfect for those moments when you’ve forgotten your token but still need secure access.
• Flexible Authentication Policies: Tailor your security to your needs with authentication policies based on time, location, and even authentication kinetics. Whether you’re enforcing strict access during work hours or adapting to a remote workforce, our solution provides the flexibility you need.

With this new release, we’re pushing the boundaries of what’s possible with macOS security. Install or upgrade today and experience the future of macOS security!