WatchGuard Blog: Authentication

AuthPoint MFA is now available for Windows Hello

Fabio Mansur — Mon, 24 Jul 2023 06:39:37 -0700

The AuthPoint MFA Agent for Windows has been updated to include support for Windows Hello for Business. This version now offers the capability to add AuthPoint MFA methods of verification for computers and servers enrolled in Windows Hello for Business. Passwordless support from Hello includes fingerprint, face recognition, and PIN (fallback), and then users will verify their identity with Push, QR code, or OTP from AuthPoint MFA.

Remember that the MFA options for Windows Hello can also be combined with Policy Objects (Time Schedule, Network Locations, Geofence and Geokinetics), so you have the flexibility to configure the security level that best matches your requirements. If you need more information about Policy Objects usage, check here.

Additionally, credential provider wrapping is supported to enable service providers to load SpecOps Password Policy Tool together with this version of the AuthPoint MFA Windows Logon Agent for clients that are not enrolled in Windows Hello for Business.

The installer is available in the Downloads page of your AuthPoint account. You can install it on new machines or upgrade existing ones using the same deploy method of the previous agent versions, manually or silently, with any software distribution tool of your preference.

See the Help Center article for detailed steps to configure or install the Logon app.

New AuthPoint product: AuthPoint Total Identity Security

Fabio Mansur — Thu, 13 Jul 2023 15:11:34 -0700

We are launching AuthPoint Total Identity Security, a new product bundle from the AuthPoint product line, which offers:

AuthPoint MFA – Deploy a complete multi-factor authentication solution with single sign-on (SSO) and risk-based authentication that’s easy to manage and use. AuthPoint MFA service is also available for purchase separately.
Dark Web Monitor – Get notified when compromised credentials from monitored domains are found on the dark web and published to credentials databases.
Corporate Password Manager – Improve password quality, reduce resets, and mitigate risk from shared or stolen passwords. Our Corporate Password Manager creates strong, complex passwords and provides the enforcement controls and shared vaults that businesses need.

Total Identity Security enables customers to protect their users’ accounts and credentials regardless of whether they have fully adopted multi-factor authentication, plus add a new layer of protection by monitoring for potential credential exposure in the dark web for both personal and corporate accounts.

Dark Web Monitoring

The Dark Web Monitor is a proactive service that notifies both administrators and end-users when compromised credentials from monitored domains are found in a newly acquired credentials database that is published to the WatchGuard Dark Web service.

Password Manager

A corporate password manager gives companies more control over password quality, reduce the need for password resets, and can help to mitigate issues related to shared, reused, and stolen passwords.

With WatchGuard’s Corporate Password Manager, when users need to access their apps or systems, they can retrieve their passwords using the AuthPoint mobile app, available for iOS and Android and browser extension, available for all major browsers. This allows businesses to add non-SAML Cloud applications to the Application Portal to fill out credentials automatically (forms-based authentication) for a smooth SSO experience.

Try it now

Talk to your partner or go to your WatchGuard account and access the Trials page for a one-click trial experience to start using it. You can even try the AuthPoint Total Identity Security in the same account that you already have an active AuthPoint MFA license.

To know more about it, click here.:

New AuthPoint Feature: Email Activation Control

Fabio Mansur — Thu, 29 Jun 2023 06:59:07 -0700

We are improving the token activation process by adding new configuration options for operators. The email activation control feature helps to better match the user token activation flow with customer needs, as in the following scenarios:

Customers that are using Office with MFA and their users don’t have access to the email to activate the token. Instead, they activate through the applications portal.
Customers that are using hardware tokens. In this case, the activation does not require the email.
Customers are doing an initial setup, creating users, but will configure the resources later, so the activation email must be sent later.

The new configuration options are available when creating a user or configuring the synchronization from Active Directory or Azure:

Disable automatic assignment of a mobile token to new users,
Disable automatic activation emails to new users.

These options combined with the capability of users to activate tokens using the single sign-on (SSO) applications portal helps admins prioritize customer needs and improves token management, as well as process optimization. We aim to improve organizations' access control processes and enhance their security mechanisms while keeping intruders at bay.

AuthPoint Push Phishing Toggle

Fabio Mansur — Thu, 11 May 2023 11:27:52 -0700

Phishing is a very well-known technique of social engineer attack used by hackers to access user’s and companies´ sensitive information. Phishing is usually applicable for password compromise and malware, but an emerging threat is a technique called MFA fatigue or MFA push spam. The technique consists of an attacker, that has the credential information of a user (username and password), to send a consecutive, stream of push notifications to the user’s phone, until he approves one of them.

To mitigate this kind of attack, we have added a push phishing toggle feature on the AuthPoint mobile app. After a push notification is received on the app, recognized as a non-legit request by the user and denied, he can choose to disable the reception of new push notifications on his mobile to avoid the push fatigue and minimizing the chance to approve incorrectly an authentication request. At any time, the user can enable again the receiving of new push notifications.

Combine with authentication policies for better protection!

The push phishing or push fatigue can be a relatively easy way for attackers to get access to companies’ assets. Allow a user to disable push notifications is one more tool to help companies to prevent unauthorized access. Combined with other features, like policy restriction (for example, time policy to not allow user access after working hours or during weekends and geo kinetics, to automatically deny authentications done from different locations/small time interval), AuthPoint provides options to minimize the occurrence of this kind of attack.

Check if your mobile app has been updated to version 2.1.0 (Android or iOS) to take advantage of this new feature and learn more about AuthPoint:

Read AuthPoint Zero-Trust Framework eBook >

Read AuthPoint Partner Brief >

New AuthPoint Geokinetics Policy in WatchGuard Cloud

Fabio Mansur — Tue, 06 Dec 2022 09:00:00 -0800

As part of AuthPoint’s Zero-Trust Framework, a new policy is now available in WatchGuard Cloud. The goal of the Geokinetics policy is to prevent unexpected authentications from attackers that are distant from the authorized user. For example, if the user is in the U.S., and an attacker from a different geographic location tries to authenticate with the user’s credentials, this policy can block the attackers request, even if the user is subject to phishing or social engineering and is convinced by the attacker to approve a push notification or a one-time password (OTP).

Empowering Your MFA Selling Strategy with AuthPoint’s Zero-Trust Framework

Take advantage of advanced features like risk policies to ace more multi-factor authentication (MFA) deals. Risk policies enable you to manage authentication requirements based on your customers’ security needs. Choose to strengthen or streamline the authentication experience according to the level of risk and type of user.

How is this policy different from other policies? The geokinetics policy compares the user’s device location on consecutive authentications and checks the distance and time between them. It can automatically block an authentication that does not match the configured parameters set by the operator.

Currently, the following AuthPoint policy objects are available in WatchGuard Cloud:

IP Location
Geolocation
Time Schedule
Geokinetics

Remember that the combination of the existing policies provides more flexibility and more powerful configurations, tailored to your end users’ needs.

Learn more about AuthPoint

Read AuthPoint Zero-Trust Framework eBook >

Read AuthPoint Partner Brief >

New AuthPoint Gateway Agent 7.1

Fabio Mansur — Mon, 07 Nov 2022 10:37:36 -0800

A new gateway agent is available in WatchGuard Cloud. The new version addresses bug fixes, Open Source Scanning (OSS) improvements and better performance on the LDAP sync flow and on the overall gateway operations.

Always keep your environment with the latest AuthPoint Gateway version:

Download the updated version in WatchGuard Cloud
Run the installer to upgrade your installed Gateway. For detailed instructions to update an installed Gateway, see Update an Installed Gateway .

Note: We recommend that you upgrade all your primary and secondary Gateways. The steps to upgrade a secondary Gateway are the same as the steps to upgrade a primary Gateway.

For more details, read the AuthPoint Gateways Help Center article.

New Versions Available for ADFS and RD Web AuthPoint Agents

Fabio Mansur — Thu, 29 Sep 2022 10:00:00 -0700

New versions of the agents for ADFS and RD Web are now available from your AuthPoint downloads page in WatchGuard Cloud, fixing minor issues and improvements. These updates help us maintain our applications on track with the latest vulnerability prevention practices.

New versions available

ADFS 1.2.1
RD Web 1.2.6

Recommended actions for partners and customers

Although this is not a mandatory upgrade, we recommend you keep your agents always updated, not only to support new features, but also to keep up with the most stable versions with stability and performance improvements.

New Beta alert! Take your passwords security to a new level

Fabio Mansur — Fri, 27 May 2022 09:00:00 -0700

Lack of password management is exposing companies to credentials theft. Our AuthPoint MFA helps to mitigate issues related to user authentication, and passwords are indeed one of those factors. They need to be protected as well. To help you and your customers protect passwords, we are launching AuthPoint Total Identity Security.

Total Identity Security is our new authentication product that, besides all the AuthPoint capabilities you already use today (like authentication, policies, user and risk management), includes two other sets of features:

Dark Web Monitor: a tool that notifies users and administrators if their corporate credentials ended up in the dark web, through a new leaked database. This allows you to be proactive and change the password, even if it wasn’t necessarily cracked.
Business Password Manager: a tool that allows your company to engage users on redefining their business passwords, using unique, complex and virtually impossible-to-crack passwords for each service requiring it. Integrated with the AuthPoint Mobile App and Web SSO to sites and corporate applications not natively supporting MFA. Cloud applications can be integrated into the IdP portal, so the credentials for these are filled out automatically (forms-based authentication), giving the SSO experience. It helps to:
- Reduce credentials management costs
- Increase user adoption of identity protection
- Reduce exposure related to credential theft (phishing, dark web, social engineering, etc.)

And this is not the only news. To try AuthPoint Total Identity Security features, you can set trial licenses for yourself and your customers directly in WatchGuard Cloud, with our simple and integrated WatchGuard Cloud Trials Center.

Check the beta details in Total Identity Security - Beta and start taking advantage of AuthPoint Total Identity Security!

New AuthPoint SAML Integration Makes Web Single Sign On (SSO) More Efficient

Fabio Mansur — Wed, 16 Mar 2022 07:37:22 -0700

AuthPoint now offers a SAML integration that allows admins to add custom attributes directly into the generic SAML resource configuration, which provides additional integration capabilities outside of documented integrations.

This feature will give partners, customers and prospects a great flexibility and speed when adding new protected resources. For example, Multiple out-of-the-box optional attributes are available, such as e-mail, first name, groups, or just a fixed value.

Key benefits for AuthPoint admins

Quick and fast deployment when needed: Most SAML-based integrations can now be easily integrated, even if not tested yet by our ecosystem team
Usability: You can now select an icon of your choice for generic SAML integrations, making it easier for users to identify and access the application

About AuthPoint integrations

SAML is a business-oriented protocol that creates a trust relationship between the Cloud application, such as Microsoft 365, Salesforce, Tableau, and more, with an identity provider (like an MFA solution).

AuthPoint provides more than 150 document integrations with third-party solutions that use the SAML protocol, including Cloud applications. However, adding a SAML integration helps meet needs that sometimes-documented integrations fail to do, due to specific attributes that some Cloud vendors require. For use cases like this one, we are giving admins the ability to build customized integrations.

No urgent action is required for the Cloud/SAML applications that have been configured, but admins can now switch the icon to one that better identifies the application.

New AuthPoint policy: Geofence

Fabio Mansur — Tue, 21 Dec 2021 05:50:46 -0800

Earlier this year, we launched the AuthPoint Risk Framework, a powerful and flexible way to manage authentication policies, and on our continuous path towards Zero Trust, we have added policies for Network Location (policies based on the end user´s network) and Time Schedule (based on the day and time of the authentication attempt). We are now happy to announce that we have launched the first or our geo-based policies, the Geofence.

With the Geofence, administrators can create rules based on the user’s location to limit exposure and block attempts that come from unauthorized areas. For example, they can choose to give sales teams access to a CRM application from anywhere in the world, except for countries where the company doesn’t offer services or has staff. A call center application could have access limited only to the country where the team is located.

How Geofencing Works

User geolocation can be determined based on IP address origin or based on GPS, which uses device location (mobile or computer). The latter provides a more precise location. Enforcing the use of GPS can be a good idea for critical applications but requires users to accept it.

Upgrade the agents

To support the Geofence, the newest versions of the agents must be installed, or the existing ones must be upgraded. The most updated versions are available at WatchGuard Cloud:

Agents for Windows 2.7.1
Agent for Mac 1.11.0
Gateway 7.0.1
ADFS 1.2.0
RD Web 1.2.4

Remember to keep your agents and Gateway always updated, not only to support new features, but also to keep up with the most stable versions with stability and performance improvements.

We continue to work on adding new risk policies to provide a stronger risk-based authentication framework to AuthPoint users. Stay tuned as we prepare to release the next geo-based policies!

New AuthPoint Gateway 7.0 Available

Sam Manjarres — Fri, 03 Dec 2021 09:59:52 -0800

The AuthPoint Gateway is an on-premise, lightweight software that runs on Windows, that provides four main functionalities:

User and group sync with Active Directory or any LDAP service
User authentication with Active Directory or LDAP
RADIUS server interface to firewalls and remote access gateways
Active Directory Federation Services (ADFS) proxy to WatchGuard Cloud (WGC)

The new version of the AuthPoint gateway has redesigned engines and advanced connection management to improve performance and availability. It’s compatible with Java Development Kits (JDK) and Amazon Corretto (log in to WatchGuard Cloud and view the AuthPoint Download section for supported versions).

Action for Partners and Customers: Install the New Version! Install new gateway to avoid connectivity or management issues due to using outdated gateways.

The AuthPoint Gateway is easy to install. It just requires a connection key that is inputted during the installation. All configuration is done through the Cloud and if you are upgrading from an older version, simply execute the installer.

AuthPoint Agent for MacOS Monterey is released!

Alexandre Cagnoni — Thu, 11 Nov 2021 04:39:38 -0800

We are happy to announce that a new version of the AuthPoint Agent for MacOS, supporting the new MacOS Monterey 12.0.1, is now available through WatchGuard Cloud.

Version 1.11.0.92 of the agent can be downloaded through the "Downloads" section of AuthPoint management. Make sure to upgrade your agent to this new version, before updating your MacOS to Monterey.

Thanks for your support and patience, we are working hard to make sure we can deliver new versions prior to the launch of new operating systems.

And if you haven't done so, please check out our AuthPoint Betas, currently with the AuthPoint Gateway 7, and our new Risk-Based authentication feature: Geofence. Just login to Centercode and join our beta program!

AuthPoint Inherited Users

Fabio Mansur — Thu, 19 Aug 2021 06:49:44 -0700

As a Service Provider, you might manage dozens of customer accounts and need access to your customers' systems and environments, such as a VPN or a server. With the user inheritance feature, you can request that customer accounts inherit an AuthPoint user from your account. These inherited users can then authenticate to access the customer’s resources. User inheritance provides a number of advantages:

More flexibility to manage your accounts
Your team can access customer accounts with their existing tokens
Centralized control of users that access customer accounts
Reduced license costs (inherited users don’t consume a license)

User Inheritance currently supports child accounts, and soon delegated accounts as well. Take a look at this new powerful feature, and set up user inheritance for your analysts in less than a minute!

AuthPoint Inherited Users Beta

Fabio Mansur — Thu, 15 Jul 2021 11:35:50 -0700

As a Service Provider, you might manage dozens of customer accounts and need access to your customer’s systems and environments, such as a VPN or a server. With the user inheritance feature, you can request that customer accounts inherit an AuthPoint user from your account. These inherited users can then authenticate to access the customer’s resources. User inheritance provides a number of advantages:

More flexibility to manage your accounts
Your team can access customer accounts with their existing tokens
Centralized control of users that access customer accounts
Reduced license costs (inherited users don’t consume a license)

Join the beta to try these features and let us know what you think!

New AuthPoint Time Schedule Policy

Fabio Mansur — Fri, 04 Jun 2021 08:51:28 -0700

Earlier this year, we launched the AuthPoint Risk Framework, a powerful and flexible way to manage authentication policies. We are now happy to announce that we have launched the Time Schedule as a new type of policy. The Time Schedule policy enables you to specify the dates and times when authentication policies apply to user authentications. You can configure a time schedule policy object if you want to:

Allow authentication only during specified times, such as work hours.
Restrict authentication during specific times, such as non-work hours and holidays.
Enforce different authentication requirements at different times.
Use a safe network location to allow users to bypass MFA when they authenticate from the office, but only during specified times, such as work hours.

We continue to work on adding new risk policies to provide a stronger risk-based authentication framework to AuthPoint users. Stay tuned as we prepare to release geo-based policies next!

New AuthPoint Time Schedule Policy Beta

Fabio Mansur — Tue, 27 Apr 2021 11:49:23 -0700

Earlier this year, we launched the AuthPoint Risk Framework, a powerful and flexible way to manage authentication policies. The latest AuthPoint beta focuses on time-based policy objects, which enable you to specify the dates and times when authentication policies apply to user authentications. You might configure a time schedule policy object if you want to:

Allow authentication only during specified times, such as work hours.
Restrict authentication during specific times, such as non-work hours and holidays.
Enforce different authentication requirements at different times.
Use a safe network location to allow users to bypass MFA when they authenticate from the office, but only during specified times, such as work hours.

Join the beta to try these features and let us know what you think!

Released: New AuthPoint Self Service Portal Feature

Fabio Mansur — Mon, 26 Apr 2021 13:05:19 -0700

We are excited to announce that the Self-Service Portal feature is now available in AuthPoint!

This feature gives the users autonomy to activate their own tokens, both mobile and hardware, by accessing their company’s IdP portal. Users that are enrolling for the first time and still do not have an active token, can activate it as part of the login flow on the IdP portal. Users that are already enrolled and have an active token can also activate a new mobile or hardware token after they have logged into the –MFA protected- IdP portal. A key benefit for the operators is that they don’t need to associate and activate the hardware token for the users, simply ship it to the user, and he will be able to associate and activate it for himself in one single operation on the IdP portal. This simplifies logistics and the management of the tokens, as well as reduce support calls. Partners that prefer to manage tokens on their own, can opt to disable this feature and continue controlling the activations without the Self-Service capabilities.

New wizard available - import hardware tokens

Fabio Mansur — Fri, 26 Mar 2021 09:11:58 -0700

We are happy to announce the release of a new wizard on AuthPoint. The wizards provide a simple, step by step guide, to be followed by administrators to configure the MFA on their environment.

The new wizard guides the administrator through the steps necessary to import hardware tokens into AuthPoint, for both WatchGuard and third party.

Remember that the following operations are also available through Wizards:

Get Started with AuthPoint – guides the administrator through a first, basic configuration, that allows him to have a user performing authentications on a matter of minutes.
Configure MFA for a VPN – guides the administrator through the steps necessary to setup the MFA for a VPN (for SSL VPN or MSCHAPv2).
Sync Users from Active Directory – guides the administrator through the steps necessary to configure the integration with the Active Directory and perform user synchronization from it.
Configure MFA for Computers and Servers – guides the administrator through the steps necessary to setup the MFA for user’s machines or servers (both Windows and mac).

For new Subscriber accounts, the Get Started Wizard also shows up automatically as a checklist, so an administrator that is not familiar with AuthPoint can be guided since his first step on the tool.

You can read more details about it on the Help Center.

New AuthPoint Self-Service Portal Beta

Fabio Mansur — Fri, 19 Mar 2021 07:48:54 -0700

We are excited to announce that the Self-Service Portal feature is now available to beta test!

Join the beta to try these features and let us know what you think!

Released: AuthPoint Agent for macOS – Big Sur

Fabio Mansur — Fri, 19 Mar 2021 07:46:57 -0700

We are happy to announce the release of a new version of the AuthPoint Agent for macOS.

This version has compatibility with the new Big Sur operating system, allowing Big Sur users to have MFA protection on both startup of the machine and after blocking it.

Keep your machines always updated with the latest version of the Agent for mac.

For the machines that are already configured with the agent, you can simply download the installer from the AuthPoint Downloads page in WatchGuard Cloud and apply the installer on the machines. Read this Help Center article for more details.

If the agent for mac is not installed on your computer, go through this checklist before you install it:

You have an AuthPoint user with an active token
The user name you use to log on to the computer matches your AuthPoint user name
You have added a Logon app resource in the AuthPoint management UI
You have assigned an access policy for the Logon app resource to your AuthPoint group
You can restart the computer after you install the Logon app
Your computer must be connected to the Internet before you log on for the first time

New AuthPoint Risk Framework

Fabio Mansur — Fri, 05 Feb 2021 10:01:51 -0800

We are happy to announce that we have launched the new AuthPoint Risk Framework in WatchGuard Cloud. The improved authentication policy management allows for more granularity and flexibility when creating rules for your users and resources.

You also have now the option to create a policy to deny authentications under certain conditions or for specific groups or resources.

Network Locations (formerly Safe Locations) is the first risk feature available and we are working on adding additional policies throughout 2021, including: time policies, device risk, computer risk, as well as geolocation policies.

Main Changes You’ll See in WatchGuard Cloud:

Access policies are now authentication policies
You configure authentication policies separately from groups
Each authentication policy can apply to multiple groups and resources
You can now configure policies to deny authentications
You can now configure policy objects, such as network locations (previously called safe locations) separately from groups
You can now add users to more than one group
You can now sync groups from Active Directory and Azure Active Directory

Your existing policies have been automatically converted to the new policy system, so AuthPoint users or admins don’t need to migrate or integrate anything to start using the new risk framework.

To learn more about the new AuthPoint Risk Framework, watch this video, which addresses all you need to know to understand the new structure and UI.

You can also read the FAQ for more information. Don’t see a question that should be posted in the FAQ? Email me at [email protected]">[email protected]

New AuthPoint Wizards: Making MFA as Simple as Possible

Fabio Mansur — Thu, 24 Sep 2020 11:59:20 -0700

We are happy to announce the release of Wizards on AuthPoint. The Wizards provide a simple, step by step guide, to be followed by administrators to configure the MFA on their environment.

The following operations are available through Wizards:

Get Started with AuthPoint – guides the administrator through a first, basic configuration, that allows him to have a user performing authentications on a matter of minutes.

Create a group
Create a user
Activate token
Set up the IdP portal
Log in to the IdP portal to test MFA

Configure MFA for a VPN – guides the administrator through the steps necessary to setup the MFA for a VPN (for SSL VPN or MSCHAPv2).

Create a RADIUS client resource
Configure and install the AuthPoint Gateway
Set an access policy

Sync Users from Active Directory – guides the administrator through the steps necessary to configure the integration with the Active Directory and perform user synchronization from it.

Create an external identity
Configure and install the AuthPoint Gateway
Create a group sync to sync users and groups from Active Directory

For new Subscriber accounts, the Get Started Wizard also shows up automatically as a checklist, so an administrator that is not familiar with AuthPoint can be guided since his first step on the tool.

You can read more details about it on the Help Center.

Keep an eye on updates about it, as these are the first Wizards and others will be added to simplify the configuration of other features.

AuthPoint is Now Available as Monthly Subscription

Sharon Li — Fri, 11 Sep 2020 11:58:25 -0700

Starting this week, we are excited to offer our partners and customers AuthPoint as a monthly subscription in the WatchGuard FlexPay program.

WatchGuard FlexPay enables partners to purchase products according to their business needs. The FlexPay program includes all our payment options: pre-paid annual licenses, pay-as-you-go MSSP Points, and monthly subscriptions.

The AuthPoint Subscription is invoiced monthly based on usage. As a software product, it is easy to enable and manage both through the distributor marketplace and in WatchGuard Cloud. The steps for partners to enable are simple:

Place an order on a distributor marketplace for an AuthPoint Subscription License that is a $0 SKU and complete checkout
Add/manage AuthPoint users in WatchGuard Cloud at next login (the license will already be auto activated with no allocation limit)
WatchGuard will issue invoices through the distributor on the 1st of each month for the total active Subscription users across the partner's cloud account hierarchy

Currently, AuthPoint monthly subscriptions are available in the U.S. through SYNNEX. We are working with our distribution partners around the world to bring this option to broader geographic markets.

What makes AuthPoint Subscriptions stand out?

Maximum Flexibility

Add a Subscription License for free with no upfront cost, available to all resellers
Only pay each month for total active Subscription users
Pay per single user

No Minimum Term Commitment

Pay-as-you-go based on monthly usage
No other vendor offers a standalone MFA product with no commitment monthly billing

Onboard and Manage with Ease

No more manual activation or allocation administration
The Subscription License coexists with all other license types including term, points, trials, NFR and these licenses will always be used up first
No pro-ration, newly added users get immediate free product access until counted at next invoice date
Auto renews each month

Freedom to Self-Serve

Need more users? MSPs and Subscribers can both add users anytime
MSPs have additional control to set limits on customer usage on the allocation page

For more information check out the FAQ and Step by Step Order Guide

New version of the Agent for Windows is available!

Fabio Mansur — Thu, 10 Sep 2020 11:16:04 -0700

We are happy to announce the release of a new version of the AuthPoint Agent for Windows.

This version improves the treatment of the MFA, specially for RDP connection scenarios, and enhances the user experience by allowing to automatically send a push notification to users during the login process. This makes the authentication experience more convenient, allowing users to simply type the username and password and approve the push notification using the mobile AuthPoint token. Users can configure or disable this feature.

Keep your machines always updated with the latest version of the Agent for Windows

If the agent for Windows is not installed on your computer, go through this checklist before you install it:

You have an AuthPoint user with an active token
The user name you use to log on to the computer matches your AuthPoint user name
You have added a Logon app resource in the AuthPoint management UI
You have assigned an access policy for the Logon app resource to your AuthPoint group
You can restart the computer after you install the Logon app
Your computer must be connected to the Internet before you log on for the first time

The Dark Web Scan is in WatchGuard Cloud!

Alexandre Cagnoni — Thu, 13 Aug 2020 05:18:28 -0700

We are excited to announce that the Dark Web Scan is live in WatchGuard Cloud and available on Subscribers and Service Provider accounts. With this new tool, partners and end users can perform searches based on email addresses and domain names to see which accounts have been exposed on the dark web during known data breaches.

The Dark Web Scan will allow partners to generate and send personalized reports. This can be a great conversation starter with customers about the importance of identity and credential theft protection, as well as the need for multi-factor authentication. After all, who knows when an employee will be part of a new breach?

As a Partner with a Service Provider account, you will be able to:

Scan any email address
Scan any company domain, except for public ones (google.com, msn.com, yahoo.com, etc.)
Send personalized dark web reports to authorized domain admins and users

As a Customer with a Subscriber Account, you will be able to:

Scan any email address
Scan company domain associated with user account

The Threat of the Dark Web Is Real

This new feature is a free scanning service and sales tool that can be used to raise awareness among existing and potential customers with data from real breaches involving their company domains and employee credentials. If an employee credential was exposed in the Dark Web, MFA is what can save the company from a breach. And AuthPoint's push-based authentication can even warn users if someone tries to use their stolen credentials.

Learn more about the Dark Web Scan with these helpful links

Frequently Asked Questions

Make sure to read our complete FAQ for any doubt about the service that is being offered for free, to our partners and customers.

You asked for them: AuthPoint Hardware Tokens

Alexandre Cagnoni — Wed, 05 Aug 2020 10:42:03 -0700

We are excited to share the news that our MFA solution portfolio continues to expand and now partners can offer AuthPoint Hardware Tokens to interested customers! Hardware tokens can be used by businesses as an alternative to the mobile token to authenticate into protected resources.

Common Use Cases

Although mobile-based authentication is more popular and in many cases more secure, there are many scenarios where hardware tokens are required or preferred.
Accessing locations where authentication is required, but mobile use is restricted, like hospitals
Tough environments, like mines or oil platforms
Companies with policies that limit or restrict the use of personal mobile devices for security purposes

Cool things to know about AuthPoint Hardware Tokens

There is no seed file with AuthPoint hardware tokens. The hardware tokens are produced in our own factory and added to WatchGuard Cloud directly. This is a secure process that protects the token from becoming compromised (see what happened to RSA in 2011).
All tokens are programmed and finalized in the WatchGuard factory. No 3rd party company has access to our firmware or secrets.
Token secrets are transmitted directly from the WatchGuard factory network (physically separated from the corporate network) to the Cloud. No human in the middle has access to it.
Our devices are made in Brazil, in WatchGuard premises.
Less than 0.1% of RMA - Return Merchandise Authorization (return because of defects)
No activation is needed. Just add them to one or more AuthPoint tenants, using the Hardware Token menu option
3 years warranty starts only first time after you add them to a user, so you don’t have to worry about having some extra ones in your stock
Life expectancy of more than 7 years, when in constant use

New Product Page
We have added a new page under the Multi-Factor Authentication product section of the website. Visit the Hardware Token page to learn more.

Ordering Hardware Tokens
AuthPoint Hardware Tokens are available to order now. They have a fixed price and are sold in 10 tokens boxes.

Check out the FAQ and datasheet at the Partner Portal!

New with AuthPoint: Beta version of the Agent for macOS

Fabio Mansur — Thu, 21 May 2020 14:02:34 -0700

We are excited to announce that an updated version of the AuthPoint agent for macOS is now available to beta test! We’ve redesigned the new agent for macOS to provide more features and make the authentication process easier. This version has two main new features:

Automatic Push Notifications: AuthPoint users can configure automatic Push notifications which will be trigger after typing username and password to access an application. This can be convenient to some users who will prefer to skip the “Send Push” step, but it can also be disabled.
Login Access for Non-AuthPoint Users: Non-AuthPoint users can now login to macOS applications without requesting MFA. This feature already exists on the Agent for Windows (platforms? Environments? We need a word here) and has now been implemented for macOS. This feature is particularly useful for Service Providers that need to access customers’ machines to provide support. The configuration and behavior are exactly the same as we have for Windows and there are no risks associated with this benefit.

Remember that the Agent for macOS also supports macOS Catalina.

TRY IT! Join the beta to try these features and let us know what you think!

New Pull Authentication Feature: Push Notifications Will Never Be Late Again

Alexandre Cagnoni — Tue, 28 Apr 2020 09:50:45 -0700

Your push message didn’t arrive? Don’t worry, a new version of the AuthPoint App for Android and iOS is now available for download with the new “Pull Authentication” feature.

AuthPoint’s Push authentication is what makes our solution one of the most secure and user-friendly MFA options in the market. This feature provides complete information about the user, their location and device, which adds increased levels of security when approving or denying access to applications. This technology is also more secure and reliable than SMS authentication because the communication is fully encrypted in the app.

But as with any other notification solution, we depend on Google Cloud Messaging or Apple Push Notification Service to deliver Push-based authentication messages. While we know that notifications normally arrive in less than 3 seconds, there are times when it takes longer, which affects the user experience of our AuthPoint users – but we have no control over the third-party services.

We are happy to introduce the new “Pull Authentication” feature. If your Push message doesn’t arrive in a few seconds, just open your AuthPoint App or click on “Check for pending notifications” on your phone, and we will retrieve the notification from AuthPoint in WatchGuard Cloud to make sure you don’t miss notifications. No more delays and no more waiting!

Note: The Pull Authentication feature is supported in versions 1.13.0 and beyond.

New AuthPoint Gateway Beta with Two Features WatchGuard Partners and Customers Asked For!

Alexandre Cagnoni — Tue, 28 Apr 2020 09:18:31 -0700

High VPN Authentication Performance

The new AuthPoint Gateway now has a redesigned RADIUS component to support instances when a higher number of employees are using multi-factor authentication at the same time.

As businesses shifted to a remote environment, the volume of VPN connections increased dramatically, and which could cause some delays especially during peak hours where a larger-than-usual number of users try to connect into their networks (between 8:00-9:00 AM local time).

This improvement should provide a faster VPN authentication experience to all AuthPoint users at any time.

Support for Java 11 and AWS Corretto 11

Remember when we only supported Oracle Java 8 at an extra cost? The new AuthPoint Gateway now also supports both Java 11 and AWS Corretto 11, a free distribution version of OpenJDK 11, compatible with Java SE standard (learn more at https://aws.amazon.com/corretto/).

You don’t have to be an AWS customer to download it, so AuthPoint users can have the latest Java-compatible version at no extra cost.

Please make sure to join our new Beta at https://watchguard.centercode.com. If you already have an account, you should have received an invitation. If you don’t have an account, visit the link above to sign up.

AuthPoint Support for MSCHAPv2 / IKEv2 VPNs Is Now Available!

Alexandre Cagnoni — Fri, 13 Mar 2020 11:24:10 -0700

We are happy to announce that AuthPoint Gateway v5.3.1 was just launched, adding support for RADIUS MSCHAPv2 authentications to Active Directory. This means that you can now create IKEv2 VPNs, authenticating users to Active Directory, using AuthPoint as your MFA solution.

Why IKEv2?

IKEv2 is the most secure VPN option available today
It is natively available on Windows, macOS, and iOS, and it is easily used among Android users with apps such as StrongSwan
For Firebox customers, being IPSec-based, IKEv2 can take advantage of crypto acceleration available on Firebox appliances, providing better performance than SSL or L2TP

You can take a look at the basic configuration needed at:

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/resources_radius.html

And here you can find the integration guide with Firebox, including Microsoft NPS configuration:

https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/firebox-ikev2-vpn-radius_authpoint.html

It’s important to notice that IKEv2/MSCHAPv2 multi-factor authentication will only work with push-based authentication. Time-based OTPs cannot be used, since the typed in password plus OTP would be hashed together, so AuthPoint wouldn’t be able to retrieve the OTP part from the password.

Thanks for all that participated in our Beta Program!

AuthPoint Beta program is more active than ever!

Alexandre Cagnoni — Fri, 10 Jan 2020 11:53:28 -0800

New features and functionalities are being revealed with our AuthPoint Beta Program. Check out some of those:

AuthPoint Authentication APIs Beta ended and is now publicly available, and for no additional cost in your AuthPoint license! See how easy it is to integrate AuthPoint’s MFA technology with your web portal or home applications

AuthPoint Agent for MacOS v1.7 Beta started this week, and it now supports Catalina. Check it out!

AuthPoint Agent for Windows Beta is getting a new refresh in the next few days. It provides easier distribution and optional login without MFA for defined users

Azure AD Sync and Authentication Beta is running. Keep an eye on how to configure Office365 with native Azure AD users, integrated with AuthPoint. Coming out soon!

We will be soon starting as well the AuthPoint Branding Beta, so you can add your logo to your managed accounts.

And check out the new AuthPoint feature that allows you to verify a caller’s identity by sending them a Push, making sure you are talking to the right person!

Participate in the AuthPoint Authentication API Beta Test!

Alexandre Cagnoni — Fri, 22 Nov 2019 09:57:57 -0800

We are excited to announce that the AuthPoint Authentication API is now available to beta test! The Authentication API is a new service that you can use to add the protection of AuthPoint multi-factor authentication (MFA) directly into your custom applications, using RESTful API calls.

Would you like to quickly add MFA to your Web portal? Maybe add Push, QR Code or OTP (one-time password) authentication into your home developed application?

With the AuthPoint Authentication API, you will be able to:

Authenticate a user with a time-based OTP
Generate a customized authentication request to your users as a push notification
Poll for the push status: push notification received and authentication request approved, denied or pending
Generate a QR Code challenge and validate the response
Validate the user’s password with AuthPoint or separately on your application
And much more!

To get started, click here to visit our beta management site. You’ll find instructions on how to enable API access for your account and start using the Authentication API.

We look forward to hearing any suggestions or feedback you can give us.

Thanks for helping us to make AuthPoint a great product!

New AuthPoint Features

Alexandre Cagnoni — Tue, 15 Oct 2019 05:28:42 -0700

AuthPoint capabilities continuously improve, and a host of new features were recently added that make our MFA solution even more flexible, easy to manage, and secure. The latest enhancements include:

AuthPoint Gateway HA - Gives customers full high availability (HA) of on-premises services such as RADIUS and AD authentication. With this feature, users can have one primary gateway and up to 5 other gateways in the location of their choice. If the first goes down, the next one will take over automatically ensuring high availability for authentication services.
Backup and Restore for Mobile 3rd party Tokens – With this feature, users can now add their own personal mobile tokens (e.g. social media, personal DropBox account) to the AuthPoint app and back up these 3rd party personal tokens. For example, if a user gets a new phone or loses a phone, no problem; the tokens will be easy to restore in their new device.
Advanced Search for Users – Advanced search for AuthPoint enhances user management capabilities by enabling better, easier search functionality. Account administrators can now search logs using a variety of attributes; for example, if you want to list all users that haven't activated their tokens yet or users that, status of users, users with blocked tokens, by group, users in quarantine, and more.
Advanced Search on the Hardware Token Screen -This feature enables admins to search using hardware token attributes such as status, serial number, activation and creation date, and user information. This is especially useful for companies distributing a larger number of hardware tokens to users.
AuthPoint Push Tracking - Unlike many other solutions in the market, AuthPoint offers push tracking. This allows admins to track the status of a push. For example, if a user complains that he/she did not receive a push, the admin can look in the audit logs to see the status of the push.
New AuthPoint Integrations: Concur redirection, Meraki Dashboard, KnowBe4, LogMeIn, OneLogin, Zoho, Citrix ShareFile, GitLab, Rakurakuseisan, Zendesk

AuthPoint Gateway HA Beta is now Available

Alexandre Cagnoni — Thu, 15 Aug 2019 13:59:09 -0700

AuthPoint Gateway version 5 with High Availability support is now available to beta test!

This new version supports two main features:

You can now configure and install secondary Gateways to provide high availability for LDAP user authentication. If your primary Gateway is not available, AuthPoint automatically sends LDAP user authentications through the secondary Gateway until the primary Gateway becomes available again. You can have the primary Gateway and up to 5 additional secondary Gateways.

For RADIUS client resources, you can now choose to send the Active Directory group for the attribute 11 (Filter-ID) value in RADIUS responses. This enables you to apply firewall policies based on the user’s AD group.

To get started, visit our beta management site at watchguard.centercode.com. You’ll find instructions on how to install the Gateway and start using the new features.

We look forward to hearing any suggestions or feedback you can give us to help make the Gateway even better!

Thanks for helping us to make AuthPoint a great product!

AuthPoint Agent for RD Web is here!

Alexandre Cagnoni — Wed, 07 Aug 2019 09:37:30 -0700

We’re excited to announce that the AuthPoint agent for RD Web is now available!

This agent allows users to enforce MFA when connecting to remote applications using Microsoft Remote Desktop Web Access application (RD Web). It integrates with the AuthPoint Web SSO functionality, so if you login into AuthPoint's IdP, you will automatically login to RD Web as well. It also supports safe locations, allowing users to configure dedicated locations in which MFA is not required to access those remote applications.

It’s quick to set up. Simply follow the installation and configuration instructions in the Help Center to get started.

And just as a reminder, connections to computers and servers using RDP or RD Gateway can still be protected by our new AuthPoint Agent for Windows!

AuthPoint Agent for RD Web Beta and Agent for Windows update

Alexandre Cagnoni — Mon, 10 Jun 2019 11:40:22 -0700

The AuthPoint Agent for RD Web is entering its second week of Beta! Have you tried it yet?

What is it? The AuthPoint agent for RD Web allows users to enforce MFA when connecting to remote applications using Microsoft’s remote desktop web application (RD Web). It also supports safe locations, allowing users to configure dedicated locations in which MFA is not required to access those remote applications.

How can you help? Sign up to Centercode, and join our Beta: https://watchguard.centercode.com/key/RDWeb.

As a reminder, the AuthPoint Agent for Windows v2.0 Beta is still running, with great feedback from partners. On the week of June 17th we should have a final update before GA, with the following changes:

Fix to improve Internet detection, and reduce the time to switch to offline mode
Support for 3rd party hardware tokens (it's coming!!!)
Small fixes

Thanks!

AuthPoint Agent for Windows v2.0 Beta is here!

Alexandre Cagnoni — Wed, 15 May 2019 09:21:59 -0700

AuthPoint Agent for Windows is getting a new look and feel!

What does this change?
This beta kicks off the release of the redesigned version of the AuthPoint Agent for Windows, which will have the same look and feel as the agent for MacOS. When Windows users log in, AuthPoint sign-in options (e.g. push) will appear on a new screen after the user enters in a username and password. This is different from the current Windows logon in which the sign-in options appear on the same screen as the Windows logon screen.

Exciting new features with the new Agent!

Support for RDP connections using the Remote Desktop Connection application
Support for RDgateway connections
Safe Locations support: give users better usability by allowing them to automatically bypass MFA if they are connected to a protected network - your Safe Location!

Sign up to participate in the AuthPoint Beta program today if you are not already in the program.

WatchGuard Beta Testing
By being a WatchGuard Beta tester, you get to see products in early stages of development, and your feedback will influence this release and the course of future products. Broad participation in our Beta programs also helps us to deliver high quality final releases. There are open Beta programs across 5 different product areas at the moment. You can always find out more at our Beta program page. If you've never joined a WatchGuard Beta program, this is a great time to jump in!

AuthPoint – WatchGuard Cloud’s MFA Service is Here!

Alexandre Cagnoni — Thu, 26 Jul 2018 11:07:43 -0700

Passwords are not as effective as they used to be, with employees simplifying or mishandling them and hackers demonstrating more ways to steal them. AuthPoint multi-factor authentication (MFA) makes password strength irrelevant, providing additional proof of identity when accessing applications and services such as:

Remote Access and VPN
Cloud Applications
Windows Login

How? The AuthPoint mobile app on your smartphone will show you who is trying to authenticate, what application, and from where, so you can easily approve or deny with a single tap on the screen.
Even when your phone is not connected, you can use the app with offline authentication methods, such as with a secure QR Code or one-time passwords (OTPs). Make the AuthPoint app your one stop for authentication by adding your personal social media tokens instead of installing multiple token apps.

Not only is AuthPoint easy for users, but network administrators will also appreciate that management is available from our new, beautiful WatchGuard Cloud platform. Simply login, activate your licenses, and you are ready to:

Quickly provision users by synchronizing with your Active Directory or LDAP base and sending them activation instructions
Configure any firewall for AuthPoint authentication, using RADIUS protocol
Add Web Single Sign-On (SSO) capabilities to your Cloud applications
Protect your Windows machines with push-message authentication, and offline authentication

With AuthPoint, companies can now enjoy a multi-factor authentication (MFA) solution that is simple, intuitive, and secure.

Learn more at www.watchguard.com/authpoint