Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security
When an AuthPoint user that should bypass MFA logs in to a computer with the Logon app installed, the user is prompted for MFA. In these cases, the most common causes are issues with the authentication policies.
Symptoms
- User that should bypass MFA are prompted for MFA when they log in to computers with the Logon app installed
- Issue only affects specific users
Diagnostic Steps
- Determine if the user is an AuthPoint user (in WatchGuard Cloud go to Configure > AuthPoint > Users) or a non-AuthPoint user associated with the Logon app resource (in WatchGuard Cloud go to Configure > AuthPoint > Resources and edit your Logon app resource).
- Review your Zero Trust policies.
- Review the settings you have configured in the Access for Non-AuthPoint Users section of the Logon app.
- Review the audit logs to determine if the authentications match a specific policy.
Possible Causes and Solutions
| Possible Cause | Solution |
|---|---|
| The user is an AuthPoint user that has an MFA policy for the Logon app. |
Update the Zero Trust policy to only require a password or add a new policy that only requires a password with a higher priority. |
| The user belongs to an incorrect group. | Make sure the user belongs to the correct user groups and that only password authentication is required by the highest priority Zero Trust policy that applies to the user and includes the Logon app resource. |
| Access for non-AuthPoint users is not allowed. | Edit your Logon app resource and review the settings you have configured in the Access for Non-AuthPoint Users section. Make sure the non-AuthPoint user is allowed to bypass MFA. |
| A Zero Trust condition affects the authentication. |
Make sure the conditions that have been added to your Zero Trust policies are correct. When you add a condition to a Zero Trust policy, the policy only applies to user authentications that match the conditions. For example, if you add a specific network location to a policy, the policy only applies to user authentications that come from that network location. If your password-only policy includes a condition, the policy might not apply if the condition is not met. Verify if you allow low accuracy location data for geofence conditions. geofence conditions require low accuracy location data for RDP connections, Firebox resources, Windows VMs, and authentications with location data based on an IP address For network location conditions, the authorized and unauthorized audit log should show an administrator the IP origin address. Make sure the IP address in the audit log is the one you expect. |
Related Log Messages
Audit logs show that the user authentication match a Zero Trust authentication policy.