Enable MFA for Your WatchGuard User Account

By default, your WatchGuard Portal user account uses a password for authentication. For increased security you can enable multi-factor authentication (MFA) for your user account. The WatchGuard Portal uses AuthPoint, WatchGuard's multi-factor authentication service, for MFA. When you enable MFA for your user account, you continue to log in to the WatchGuard Portal with your user name and password, but you must also authenticate with your token in the AuthPoint mobile app.

You can enable MFA for your WatchGuard Portal user account even if you have not purchased a license for the AuthPoint service. WatchGuard provides a free token for MFA with the WatchGuard Portal.

WatchGuard Customer Care is the administrator of AuthPoint MFA for WatchGuard user accounts. Contact Customer Care for any administrative actions related to MFA for your WatchGuard Account. For example, Customer Care can:

  • Add a new token to your account for a different mobile device.
  • Enable temporary access to your account if you do not have access to your mobile device.
  • Unblock a token.

If you fail three consecutive authentication attempts, AuthPoint automatically blocks the token used for authentication. If this happens, you must contact Customer Care. You cannot authenticate with the blocked token until Customer Care unblocks the token.

AuthPoint considers authentications that do not have a valid response to be failed authentication attempts. This includes incorrect one-time passwords, incorrect verification codes for QR code authentication, and push notifications that are not valid.

AuthPoint does not consider denied push notifications to be failed authentication attempts.

Install the AuthPoint Mobile App

To use MFA to authenticate with the WatchGuard Portal, you must install the AuthPoint mobile app on a mobile device. The WatchGuard AuthPoint app is available for free from Apple's App Store or Google Play.

Enable MFA for Your WatchGuard Portal User Account

You can enable MFA for your own user account in the WatchGuard Portal. After you enable MFA, WatchGuard sends an activation email to the email address associated with your WatchGuard account. The email contains a link to activate a new AuthPoint token on your mobile device.

To enable MFA for your user account:

  1. Go to www.watchguard.com and log in to the WatchGuard Portal with your user account credentials.
  2. In Support Center, select My WatchGuard > Manage Profile.
    The Manage Profile page appears.
  3. In the About You section, click Edit.
    Your user account information appears.

Screen shot of User Information page

  1. Next to the Multi-Factor Authentication status, click Edit.
    The Manage Multi-Factor Authentication page appears.

Screen shot of the Manage Multi-Factor Authentication page.

  1. If the email address for your account is not correct, click Edit to edit your account settings.

    2. If the same email address is associated with more than one user account in the WatchGuard Portal, you can enable MFA for only one of those accounts.

  2. To enable MFA, click Enable MFA.
    A confirmation message appears.

Screen shot of MFA confirmation message

  1. Click Continue.
    MFA is enabled and the Manage Multi-Factor Authentication page appears. WatchGuard sends you an email with a link to activate the AuthPoint token for your mobile device. The email can take several minutes to arrive.

Screen shot of Manage Multi-Factor Authentication page with MFA enabled

  1. Open the activation email from WatchGuard ([email protected]).
  2. In the email, click the activation link to download the AuthPoint app and activate your WatchGuard token.

Use the AuthPoint App to Authenticate

After you activate your WatchGuard token, you must use the AuthPoint app to authenticate each time you log in to the WatchGuard Portal and when you log in to WatchGuard cloud-based services that use your WatchGuard Portal ID for authentication, such as Wi-Fi Cloud and WatchGuard Cloud.

To log in to the WatchGuard Portal with MFA enabled:

  1. Go to the WatchGuard Portal login page.
  2. Type your user name and password. Click Log in.
    You are prompted to authenticate.

Screen shot of MFA options

  1. Select an authentication method and use the AuthPoint app to authenticate.
    You can select one of these authentication methods:

Push

With this method, an AuthPoint notification appears on your mobile device. On the push notification that is sent to your mobile device, tap Approve to authenticate and log in.

One-Time Password

With this method, the AuthPoint app generates a unique, temporary password you must provide in addition to your normal password to authenticate and log in. In the One-Time Password text box, type the OTP shown for your token in the AuthPoint app.

QR Code

With this method, you use the AuthPoint app and the camera on your mobile device to read a QR code. Then you type a 6-digit verification code to authenticate and log in.

For more information about each of these authentication methods, see About Authentication.

Authenticate Without Your Mobile Device

If you forget your mobile device at home, or do not have access to it for some other reason, WatchGuard Customer Care can allow you to log in without your mobile device for a limited amount of time.

Follow these steps if you do not have access to the mobile device you use for authentication:

  1. Go to www.watchguard.com and log in to the WatchGuard Portal with your user account credentials.
    You are prompted to authenticate.
  2. From the Sign-in Options section, click Forgot Token.
    The Forgot Token screen appears, with an Activation Code.

Screen shot of Forgot Token page

  1. Contact WatchGuard Customer Care and tell them that you do not have access to your mobile device.
  2. Provide WatchGuard Customer Care with the Activation Code.
  3. Type the Period (Hours) and Verification Code values that WatchGuard Customer Care gives to you.
  4. Click Finish.

After you finish and validate the Period and Verification Code values, you are logged in. Multi-factor authentication is disabled for the time period specified by WatchGuard Customer Care. For the specified amount of time, you can log in with just your user name and password.

Disable MFA for Your WatchGuard Portal User Account

If you no longer want to use multi-factor authentication when you log in to the WatchGuard Portal, you can disable MFA for your own user account.

If you disable MFA, we recommend that you do not delete the AuthPoint token from your mobile device. You can reuse this AuthPoint token if you enable MFA again.

To disable MFA for your user account:

  1. Go to www.watchguard.com and log in to the WatchGuard Portal with your user account credentials.
  2. In Support Center, select My WatchGuard > Manage Profile.
    The Manage Profile page appears.
  3. In the About You section, click Edit.
    Your user account information appears.
  4. Next to the Multi-Factor Authentication status, click Edit.
    The Manage Multi-Factor Authentication page appears.

Screen shot of the Manage Multi-Factor Authentication page.

  1. To disable MFA, click Disable MFA.
    A confirmation message appears.

Screen shot of Disable MFA confirmation message

  1. Click Continue.
    MFA is disabled and the Manage Multi-Factor Authentication page appears.

See Also

Manage User Accounts in the WatchGuard Portal