AuthPoint is WatchGuard's multi-factor authentication (MFA) service. With AuthPoint, you can require users to authenticate with the AuthPoint mobile app or a third-party hardware token when they log in to a protected resource, such as a computer, VPN, or a cloud service or application.
Because AuthPoint requires users to authenticate before they log in, data in your cloud applications and services is protected.
AuthPoint uses the latest MFA methods to protect your trusted resources from unauthorized access. You can choose different authentication methods for specific user groups and applications:
- Push Notification — When you log in, AuthPoint sends a push notification to your mobile device that you approve to authenticate and log in or deny to prevent an access attempt that was not made by you
- QR Code — When you log in, you scan a QR code with the AuthPoint mobile app and use the verification code you receive to authenticate (AuthPoint uses secure QR codes that can only be decrypted by the AuthPoint mobile app)
- One-Time Password (OTP) — An OTP is a unique, temporary password available in the AuthPoint app that you use to authenticate
Users install the AuthPoint mobile app on their phone. Then, when they log in to any online service or VPN, they must authenticate with one of the methods described above.
Components of AuthPoint
AuthPoint has several components:
AuthPoint Management UI
The AuthPoint management UI in WatchGuard Cloud is where you set up and manage your users, user groups, resources, external identities, and the AuthPoint Gateway. Resources are the applications that you define for use with AuthPoint. External identities connect to user databases to get user account information and validate passwords.
AuthPoint Mobile App
The AuthPoint mobile app is required for authentication. You can view and manage your tokens, approve push notifications, get OTPs, and scan QR codes. You can also enable Token Security to protect your tokens with a PIN or biometric ID.
The AuthPoint Gateway is a lightweight software application that you install on your network so that AuthPoint can communicate with your RADIUS clients and LDAP databases. The Gateway operates as a RADIUS server and is required for RADIUS authentication and for LDAP users to authenticate with SAML resources.
The installer for the AuthPoint Gateway is available on the Downloads page in the AuthPoint management UI.
The Logon app is used to require authentication when users log on to a computer or server. This includes protection for RDP and RD Gateway. There are two parts to the Logon app: the agent you install on a computer or server and the resource you configure in AuthPoint.
The Logon app agents for Windows and macOS are available on the Downloads page in the AuthPoint management UI.
Agent for ADFS
With the AuthPoint ADFS agent, you can add multi-factor authentication (MFA) to ADFS for additional security. To configure MFA for ADFS, you must have the AuthPoint Gateway installed.
The installer for the ADFS agent is available on the Downloads page in the AuthPoint management UI.
Agent for RD Web
The AuthPoint agent for RD Web adds the protection of multi-factor authentication to RD Web Access. There are two parts to the AuthPoint agent for RD Web: the agent you install and the resource you configure in AuthPoint.
The installer for the RD Web agent is available on the Downloads page in the AuthPoint management UI.
AuthPoint is a subscription security service. To use AuthPoint, you must activate an AuthPoint license in your WatchGuard account. The AuthPoint license determines the number of users you can configure to use AuthPoint for MFA. When you activate your AuthPoint license key, the user licenses are added to your AuthPoint account in WatchGuard Cloud.
If you are a WatchGuard Cloud Service Provider, you can allocate AuthPoint user licenses to accounts you manage in WatchGuard Cloud.
To set up and manage AuthPoint, you use the AuthPoint management UI in WatchGuard Cloud. To connect to WatchGuard Cloud, go to cloud.watchguard.com. Log in with your WatchGuard portal credentials.
To configure AuthPoint, select Configure > AuthPoint. If you have a Service Provider account, you must select an account from the Account Manager menu to configure AuthPoint for that account.
The Summary page shows tiles with summary configuration information.
To configure AuthPoint settings you can click the tile title or click the Management links:
- Resources — Configure the applications and services that your users connect to.
- Groups — Configure user groups, and add access policies that specify which resources users in that group can authenticate to and which authentication methods they can use (Push, QR code, and OTP).
- Users — Manage AuthPoint users and tokens. You can create local AuthPoint users or import LDAP users from an external authentication server. Each user can only be a member of one AuthPoint group.
- External Identities — Configure the information required for AuthPoint to connect to your Active Directory or LDAP databases to get user account information and validate passwords.
- Gateway — Configure settings for the AuthPoint Gateway, a lightweight software application that you install on your network so that AuthPoint can communicate with your RADIUS clients, the AuthPoint agent for ADFS, and your Active Directory or LDAP database.
- Hardware Tokens — Import hardware tokens and associate them with users.
The items in the AuthPoint management menu are listed in the optimal order to configure them. We recommend you start at Resources, and work your way down each item in the list until your configuration is complete.
Use AuthPoint dashboards and reports to monitor AuthPoint activity and status.
To monitor AuthPoint, select Monitor > AuthPoint. If you have a Service Provider account, you must select an account from the Account Manager monitor AuthPoint for that account.
In the Monitor section of the AuthPoint management UI, you can see these dashboards and reports:
- User Activity — A bar graph that shows how many times each active user has authenticated, the last time each inactive user authenticated, and how and when blocked users were blocked.
- Authentication — A bar graph that shows successful and failed authentication attempts for each user. For each attempt, a list shows the authentication date, the token that was used, the authentication method, and the resource the user authenticated to.
- Resource Activity — A bar graph of resources that shows successful and failed authentication attempts for each resource. For each attempt, a list shows which user authenticated, the authentication date, the token that was used, and the authentication method.
- Denied Push Notifications — A bar graph that shows a count of how many push notifications have been denied by users.
- Activation Activity — Shows a list of user tokens that have not yet been activated.
- Sync Activity — Shows information about the synchronization of your LDAP database if you have added an external identity.
Audit logs and notifications, available from the Administration menu, provide additional information about AuthPoint events that can be useful for troubleshooting.