By default, your WatchGuard Cloud user account uses a password for authentication. For increased security you can enable multi-factor authentication (MFA) for your user account. WatchGuard Cloud uses AuthPoint, WatchGuard's multi-factor authentication service, for MFA. When you enable MFA for your user account, you continue to log in to WatchGuard Cloud with your user name and password, but you must also authenticate with your token in the AuthPoint mobile app.
If you fail three consecutive authentication attempts, AuthPoint automatically blocks the token used for authentication. If this happens, you must contact Customer Care. You cannot authenticate with the blocked token until Customer Care unblocks the token.
AuthPoint considers authentications that do not have a valid response to be failed authentication attempts. This includes incorrect one-time passwords, incorrect verification codes for QR code authentication, and push notifications that are not valid.
AuthPoint does not consider denied push notifications to be failed authentication attempts.
To manage MFA for your user account, you can:
- Enable MFA for Your User Account
- Resend an MFA Token Activation Email Message
- Install the AuthPoint Mobile App
- Use the AuthPoint App to Authenticate
- Authenticate Without Your Mobile Device
- Move an AuthPoint Token to Another Device
- Disable MFA for Your User Account
For some administrative actions related to MFA for your WatchGuard account, you must contact WatchGuard Customer Care:
- Send a new token activation email if you delete the token on your current mobile device or if your mobile device is replaced and you cannot migrate your token.
- Add a new token to your account for an additional mobile device.
- Enable temporary access to your account if you do not have access to your mobile device.
- Unblock a token.
Enable MFA for Your User Account
You can enable MFA for your own user account in WatchGuard Cloud. After you enable MFA, WatchGuard sends an activation email to the email address associated with your WatchGuard account. The email contains a link to activate a new AuthPoint token on your mobile device.
To enable MFA for your user account:
- Log in to WatchGuard Cloud.
- In the upper-right corner, click
.
The My Account menu opens.
- Click My Account.
The My Account page opens. - From the Operators list, next to your user name, click
. - Select the Enable MFA.
The Confirm Email Address dialog box opens.
- If the email address for your account is correct, click Confirm Email.
WatchGuard sends an activation email to the email address associated with your account. The email contains a link to activate a new AuthPoint token on a mobile device.
If the same email address is associated with more than one user account in the WatchGuard Cloud, you can enable MFA for only one of those accounts.
- Open the activation email from WatchGuard ([email protected]).
- In the email, click the activation link to download the AuthPoint app and activate your WatchGuard token.
Resend an MFA Token Activation Email Message
If you do not receive your MFA token activation email, check your spam folder for an email from '[email protected]'. If you cannot find the email, or if the activation link expires, you can resend it.
To resend an MFA token activation email message:
- Log in to WatchGuard Cloud.
- In the upper-right corner, click . Click My Account.
- From the Operators list, next to your user name, click .
- Select Resend Token Activation Email.
- In the confirmation dialog box, click Resend Email.
Install the AuthPoint Mobile App
To use MFA to authenticate with WatchGuard Cloud, you must install the AuthPoint mobile app on a mobile device. The WatchGuard AuthPoint app is available for free from Apple's App Store or Google Play.
Use the AuthPoint App to Authenticate
After you activate your WatchGuard token, you must use the AuthPoint app to authenticate each time you log in to WatchGuard Cloud and when you log in to WatchGuard cloud-based services that use your WatchGuard ID for authentication, such as Wi-Fi Cloud.
To log in to WatchGuard Cloud with MFA enabled:
- Go to cloud.watchguard.com.
- Type your user name and password. Click Log in.
You are prompted to authenticate.
- Select an authentication method and use the AuthPoint app to authenticate.
You can select one of these authentication methods:
Push
With this method, an AuthPoint notification appears on your mobile device. On the push notification that is sent to your mobile device, tap Approve to authenticate and log in.
One-Time Password
With this method, the AuthPoint app generates a unique, temporary password you must provide in addition to your normal password to authenticate and log in. In the One-Time Password text box, type the OTP shown for your token in the AuthPoint app.
QR Code
With this method, you use the AuthPoint app and the camera on your mobile device to read a QR code. Then you type a 6-digit verification code to authenticate and log in.
For more information about each of these authentication methods, go to About Authentication.
Authenticate Without Your Mobile Device
If you forget your mobile device at home, or do not have access to it for some other reason, WatchGuard Customer Care can allow you to log in without your mobile device for a limited amount of time.
Follow these steps if you do not have access to the mobile device you use for authentication:
- Go to cloud.watchguard.com and log in.
You are prompted to authenticate. - From the Sign-in Options section, click Forgot Token.
The Forgot Token screen opens, with an activation code.
- Contact WatchGuard Customer Care and tell them that you do not have access to your mobile device.
- Provide WatchGuard Customer Care with the activation code.
- Type the Period (Hours) and Verification Code values that WatchGuard Customer Care gives to you.
- Click Finish.
After you finish and validate the Period and Verification Code values, you are logged in. Multi-factor authentication is disabled for the time period specified by WatchGuard Customer Care. For the specified amount of time, you can log in with only your user name and password.
Move an AuthPoint Token to Another Device
If you get a new mobile device, you can migrate your AuthPoint token from your old device to the new one. When you migrate a token, AuthPoint deletes the token from your current mobile device and you receive an activation email to activate the token on a new device.
To migrate an AuthPoint token:
- On your old mobile device, open the AuthPoint mobile app.
If you lose your mobile device, or delete your token, you can disable and re-enable MFA for your operator account. When you enable MFA again, WatchGuard sends an activation email to the email address associated with your operator account to activate a new token.
- Next to your token, tap
(Android) or 
(iOS) and select Migrate Token. - When prompted to continue, tap Yes.
Your token is deleted and you receive an activation email you can use to activate the token on a new device. - Install the AuthPoint mobile app on your new mobile device.
- Open the activation email and activate your token on the new mobile device.
Disable MFA for Your User Account
If you no longer want to use multi-factor authentication when you log in to WatchGuard Cloud, you can disable MFA for your own user account, unless an operator with the Owner or Administrator role enabled MFA on your account.
If you disable MFA, we recommend that you do not delete the AuthPoint token from your mobile device. You can reuse this AuthPoint token if you enable MFA again.
To disable MFA for your user account:
- Log in to WatchGuard Cloud.
- In the upper-right corner, click . Click My Account.
- From the Operators list, next to your user name, click .
- Select Disable MFA.
A confirmation message appears.
- To confirm you want to disable MFA for your account, click Disable MFA.