Enable MFA for WatchGuard Cloud Operators

By default, operators use a password for authentication when they log in to WatchGuard Cloud. For increased security, an operator account can have multi-factor authentication (MFA) enabled. WatchGuard Cloud uses AuthPoint, WatchGuard's multi-factor authentication service, for MFA. When MFA is enabled for an operator account, the operator continues to log in to WatchGuard Cloud with their user name and password, but must also authenticate with their token in the AuthPoint mobile app.

Operators with the Owner or Administrator role can enable MFA for any operator in their WatchGuard Cloud account or an account that they manage. All operators can enable and disable MFA for their own WatchGuard Cloud operator account, unless an operator with the Owner or Administrator role enabled MFA on the account.

Operators must contact their Service Provider for any administrative actions related to MFA for their WatchGuard Cloud account.

An AuthPoint license is not required to enable MFA for WatchGuard Cloud operators. WatchGuard provides a free token for MFA with WatchGuard Cloud.

Tier-1 accounts must manage their operators in the Support Center. In WatchGuard Cloud, operators from a tier-1 account can only see the operators on the account and change their role. For more information, see Manage User Accounts in the WatchGuard Portal.

Enable MFA for a WatchGuard Cloud Operator Account

To enable MFA for an operator:

  1. Log in to WatchGuard Cloud.
  2. Click .
    The My Account menu opens.

  1. Select My Account.
    The My Account page opens.

Screen shot of WatchGuard Cloud My Account page

  1. In the Operators section, next to the operator you want to enable MFA for, click .

    You must have the Owner or Administrator role to enable MFA for another operator account.


  1. Select Enable MFA.
    The Confirm Email Address dialog box opens.
  2. Click Confirm Email.

After MFA is enabled, WatchGuard sends an activation email to the email address associated with the operator account. The email contains a link to activate a new AuthPoint token on a mobile device.

Install the AuthPoint Mobile App

To use MFA to authenticate with WatchGuard Cloud, operators must install the AuthPoint mobile app on a mobile device. The WatchGuard AuthPoint app is available for free from the Apple App Store or Google Play. After an operator installs the AuthPoint app, they can activate their token.

To activate a token:

  1. Open the activation email. If an operator does not receive the activation email or cannot find it, they can resend the activation email from the My Account page in WatchGuard Cloud.
  2. Click the activation link in the email.
    The Welcome to AuthPoint web page opens, with an Activate link and a QR code.

  1. Activate the token:
    • If the web page is opened on a mobile device, tap the Activate button. This opens the AuthPoint app and activates the token.
    • If the web page is opened on a computer, the operator opens the AuthPoint app on their phone and taps Activate, then points the camera on the mobile device at the QR code on the computer screen. This activates the token.

    If the operator has already activated a token, they must tap to open the QR code reader.

Use the AuthPoint App to Authenticate

To log in to WatchGuard Cloud when MFA is enabled:

  1. Go to cloud.watchguard.com.
  2. Type your user name and password. Click Log in.
    You are prompted to authenticate.
  3. Select an authentication method and use the AuthPoint app to authenticate. You can select one of these authentication methods:

Push

With this method, an AuthPoint notification appears on your mobile device. On the push notification that is sent to your mobile device, tap Approve to authenticate and log in.

One-Time Password

With this method, the AuthPoint app generates a unique, temporary password you must provide in addition to your WatchGuard Cloud password to authenticate and log in. In the One-Time Password text box, type the OTP shown for your token in the AuthPoint app.

QR Code

With this method, you use the AuthPoint app and the camera on your mobile device to read a QR code. Then you type a 6-digit verification code to authenticate and log in.

For more information about these authentication methods, see About Authentication.

Authenticate Without a Mobile Device

If an operator forgets their mobile device at home, or does not have access to it for some other reason, the operator's Service Provider can allow the operator to log in without their mobile device for a limited amount of time.

Follow these steps if you do not have access to the mobile device you use for authentication:

  1. Go to cloud.watchguard.com and log in.
    You are prompted to authenticate.
  2. From the Sign-in Options section, click Forgot Token.
    The Forgot Token page opens, with an Activation Code.
  3. Contact your Service Provider and tell them that you do not have access to your mobile device.
  4. Give your Service Provider the Activation Code.
  5. The Service Provider contacts WatchGuard Customer Care.
  6. Type the Period (Hours) and Verification Code values that your Service Provider gives to you.
  7. Click Finish.

If the Period and Verification Code values are valid, you are logged in. Multi-factor authentication is disabled for the time period specified by your Service Provider. For the specified amount of time, you can log in with only your user name and password.

Move a Token to Anther Device

If an operator gets a new mobile device, they can migrate their AuthPoint token from their old device to the new one. When an operator migrates a token, AuthPoint deletes the token from their current mobile device and the operator receives an activation email to activate the token on a new device.

To migrate a token:

  1. On your old mobile device, open the AuthPoint mobile app.

    If an operator loses their mobile device, or deletes their token, the operator can disable and re-enable MFA for their operator account. When the operator enables MFA again, WatchGuard sends an activation email to the email address associated with the operator account to activate a new token.

  2. Next to your token, tap (Android) or (iOS) and select Migrate Token.
  3. When prompted to continue, tap Yes.
    Your token is deleted and you receive an activation email you can use to activate the token on a new device.
  4. Install the AuthPoint mobile app on your new mobile device.
  5. Open the activation email and activate your token on the new mobile device.

Disable MFA for a WatchGuard Cloud Operator Account

Operators can disable MFA for their operator account if they no longer want to use multi-factor authentication when they log in to WatchGuard Cloud.

If an operator with the Owner or Administrator role enabled MFA for an operator account, only another operator with the Owner or Administrator role can disable MFA.

To disable MFA for an operator account:

  1. Log in to WatchGuard Cloud.
  2. Click .
    The My Account menu opens.
  3. Select My Account.
    The My Account page opens.
  4. In the Operators section, next to the operator you want to enable MFA for, click .

    You must have the Owner or Administrator role to enable MFA for another operator account.

  5. Select Disable MFA.
    The Disable MFA dialog box opens.
  6. Click Confirm.

See Also

About Operators

Add Operators to Your Account

Add Operators to Managed Accounts

See Account Information