Block a User or Token

Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security

Some of the features described in this help topic are only available to participants in the WatchGuard Beta test community. If a feature described in this topic is not available, it is a beta-only feature.

There are two ways to prevent authentication:

  • Block a User — The user cannot authenticate with any of their WatchGuard tokens on any of their mobile devices
  • Block a Token — The user cannot authenticate with that token, but can still authenticate with other active tokens

If a user fails three consecutive authentication attempts, AuthPoint automatically blocks the token used for authentication. The user cannot authenticate with the blocked token until an AuthPoint administrator unblocks the token. You can change the number of consecutive times a user can fail to successfully authenticate before a token is blocked on the Settings page.

AuthPoint considers authentications that do not have a valid response to be failed authentication attempts. This includes incorrect one-time passwords, incorrect verification codes for QR code authentication, and push notifications that are not valid.

AuthPoint does not consider denied push notifications to be failed authentication attempts.

On the Users page, the User Name and Token columns show the status of the user account and that user's tokens. You can see if a user or token is active or blocked.

User Status Definition
Activated
The user account is activated and can authenticate with any active tokens
Quarantined
The LDAP synced user account cannot authenticate because the LDAP user was moved or deleted
Blocked
The user cannot authenticate with any WatchGuard tokens on any of their mobile devices and cannot log in to their password vault
Token Status Definition
Activated
The token is activated and can be used for authentication
Blocked
The token is blocked and the user cannot authenticate with that token (they can still authenticate with other active tokens)

Block a User

A blocked user cannot authenticate with any of their WatchGuard tokens on any of their mobile devices. The general use case for this action is to completely block a user account when the user has been offboarded or if they may be compromised in some way.

When you block a user account, that does not affect third-party tokens that user has imported to the AuthPoint mobile app. A blocked user can still use their third-party tokens, such as Google Authenticator, to authenticate with third-party resources.

A blocked user account cannot log in to their password vault.

To block a user:

  1. From the navigation menu, select Users.
  2. In the relevant user row, click and select Block User.

  1. Click Yes.
    The status icon next to the user name turns red to indicate that the user is blocked.

The user is now blocked and cannot authenticate with any of their WatchGuard tokens on any of their mobile devices.

When a user is blocked, the status icon next to their tokens is still listed as activated. The status icon for a token only changes when you block a specific token.

Activate a Blocked User

To activate a blocked user:

  1. From the navigation menu, select Users.
  2. In the relevant user row, click and select Activate User.

  1. Click Yes.
    The status icon next to the user name turns green to indicate that the user is activated.

The user is returned to the activated status and can authenticate with any of their unblocked WatchGuard tokens on any of their mobile devices.

Block or Unblock a Token

When you change the status of a token to blocked, the user cannot authenticate with that token, but can still authenticate with any other active tokens they have. The status icon next to each token in the Token column indicates whether the token is activated or blocked.

The general use case for this action is to prevent authentication from a specific mobile device that a token is activated on. For example, if a user loses their phone you could block the token that is activated on that device to prevent unauthorized access. This way, if the user has an active token on another device, they can still authenticate with that token.

In general, it is best practice to block a token first before you delete it. You can always change the status of a blocked token back to activated, but a deleted token cannot be restored. If you delete a token, you must create a new token for the user.

An end-user must have at least one active token in the AuthPoint mobile app to log in to their password vault on that device.

The steps to block a hardware token and a mobile token are the same.

To block or unblock a token:

  1. From the navigation menu, select Users.
  2. In the Token column, click the token to block or unblock.

  1. In the Token Management window, click Block Token or Activate Token. The option you see depends on the token status.

The status of the user's token is changed. If the token was activated, it becomes blocked and the user cannot authenticate with that token. If the token was blocked, it becomes activated and can be used for authentication.

User with a blocked token.

See Also

Activate a Token

About Authentication

AuthPoint Settings

Authentication Without Your Mobile Device

Add New Software Tokens

Resend Activation Email