Block a User or Token

Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security

There are two ways to prevent authentication:

  • Block a User — The user cannot authenticate with any of their WatchGuard tokens on any of their mobile devices
  • Block a Token — The user cannot authenticate with that token, but can still authenticate with other active tokens

If a local AuthPoint user authenticates with an incorrect password more than ten consecutive times, AuthPoint automatically blocks the user account. This only applies to local AuthPoint user accounts, not users synced from an external identity. You can change the number of consecutive times a user can authenticate with an incorrect password before the user is blocked on the Settings page.

If a user fails three consecutive authentication attempts, AuthPoint automatically blocks the token used for authentication. The user cannot authenticate with the blocked token until an AuthPoint administrator unblocks the token. You can change the number of consecutive times a user can fail to successfully authenticate before a token is blocked on the Settings page.

AuthPoint considers authentications that do not have a valid response to be failed authentication attempts. This includes incorrect one-time passwords, incorrect verification codes for QR code authentication, and push notifications that are not valid.

AuthPoint does not consider denied push notifications to be failed authentication attempts.

On the Users page, the User Name and Token columns show the status of the user account and that user's tokens. You can see if a user or token is active or blocked.

User Status Definition
Activated
Green Dot Icon		 The user account is activated and can authenticate with any active tokens
Quarantined
Yellow Dot Icon		 The LDAP synced user account cannot authenticate because the LDAP user was moved or deleted
Blocked
Red Dot Icon		 The user cannot authenticate with any WatchGuard tokens on any of their mobile devices and cannot log in to their password vault
Token Status Definition
Activated
Green Dot Icon		 The token is activated and can be used for authentication
Blocked
Red Dot Icon		 The token is blocked and the user cannot authenticate with that token (they can still authenticate with other active tokens)

Block a User

A blocked user cannot authenticate with any of their WatchGuard tokens on any of their mobile devices. The general use case for this action is to completely block a user account when the user has been offboarded or if they may be compromised in some way.

When you block a user account, that does not affect third-party tokens that user has imported to the AuthPoint mobile app. A blocked user can still use their third-party tokens, such as Google Authenticator, to authenticate with third-party resources.

A blocked user account cannot log in to their password vault.

To block a user:

  1. From the navigation menu, select Users.
  2. In the relevant user row, click Menu Icon and select Block User.

Screen shot that shows the menu for a user on the Users page.

  1. Click Yes.
    The status icon next to the user name turns red to indicate that the user is blocked.

Screen shot that shows the Block User window.

The user is now blocked and cannot authenticate with any of their WatchGuard tokens on any of their mobile devices.

When a user is blocked, the status icon next to their tokens is still listed as activated. The status icon for a token only changes when you block a specific token.

Screen shot that shows a blocked user.

Activate a Blocked User

To activate a blocked user:

  1. From the navigation menu, select Users.
  2. In the relevant user row, click Menu Icon and select Activate User.

Screen shot that shows the menu for a user on the Users page.

  1. Click Yes.
    The status icon next to the user name turns green to indicate that the user is activated.

Screenshot that shows the Activate User window.

The user is returned to the activated status and can authenticate with any of their unblocked WatchGuard tokens on any of their mobile devices.

Screen shot that shows the Users list.

Block or Unblock a Token

When you change the status of a token to blocked, the user cannot authenticate with that token, but can still authenticate with any other active tokens they have. The status icon next to each token in the Token column indicates whether the token is activated or blocked.

The general use case for this action is to prevent authentication from a specific mobile device that a token is activated on. For example, if a user loses their phone you could block the token that is activated on that device to prevent unauthorized access. This way, if the user has an active token on another device, they can still authenticate with that token.

In general, it is best practice to block a token first before you delete it. You can always change the status of a blocked token back to activated, but a deleted token cannot be restored. If you delete a token, you must create a new token for the user.

An end-user must have at least one active token in the AuthPoint mobile app to log in to their password vault on that device.

The steps to block a hardware token and a mobile token are the same.

To block or unblock a token:

  1. From the navigation menu, select Users.
  2. In the Token column, click the token to block or unblock.

Screen shot that shows a token in the Users list.

  1. In the Token Management window, click Block Token or Activate Token. The option you see depends on the token status.

Screen shot that shows the Token Management window.

The status of the user's token is changed. If the token was activated, it becomes blocked and the user cannot authenticate with that token. If the token was blocked, it becomes activated and can be used for authentication.

Screen shot that shows a user with a blocked token.

See Also

Activate a Token

About Authentication

AuthPoint Settings

Authentication Without Your Mobile Device

Add New Software Tokens

Resend Activation Email