Identity_Security_Essentials_Study_Guide_EN-US.pdf

Full Transcript

WatchGuard Training
Identity Security Essentials
Study Guide
WatchGuard AuthPoint
Revision Date: October 2023
 About This Document
Information in this document is subject to change without notice. Companies, names, and data used in examples
herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or
by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard
Technologies, Inc.

In September 2023, the name of the Multi-Factor Authentication Essentials exam and courseware was changed to
Identity Security Essentials.

Guide revised: 13 October 2023

Copyright, Trademark, and Patent Information
Copyright © 2023 WatchGuard Technologies, Inc. All rights reserved.
All trademarks or trade names mentioned herein, if any, are the property of their respective owners.

About WatchGuard Address
505 Fifth Avenue South
WatchGuard® Technologies, Inc. is a global leader in network
Suite 500
security, providing best-in-class Unified Threat Management, Next
Seattle, WA 98104
Generation Firewall, secure Wi-Fi, and network intelligence products
and services to more than 75,000 customers worldwide. The
company’s mission is to make enterprise-grade security accessible
to companies of all types and sizes through simplicity, making Support
WatchGuard an ideal solution for Distributed Enterprises and SMBs.
WatchGuard is headquartered in Seattle, Washington, with offices www.watchguard.com/support
throughout North America, Europe, Asia Pacific, and Latin America. U.S. and Canada +877.232.3531
To learn more, visit WatchGuard.com. All Other Countries +1.206.521.3575

For additional information, promotions and updates, follow
WatchGuard on Twitter, @WatchGuard on Facebook, or on the
LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for
Sales
real-time information about the latest threats and how to cope with
U.S. and Canada +1.800.734.9905
them at www.secplicity.org.
All Other Countries +1.206.613.0895

Identity Security Essentials Study Guide 2
 Contents

How to Use This Study Guide 5
AuthPoint Basics 6
Introduction to AuthPoint 7
About Authentication 14
AuthPoint Users and Tokens 16
About Tokens 17
AuthPoint Mobile App 18
Hardware Tokens 23
AuthPoint Groups and Users 25
AuthPoint Authentication 35
Authentication Policies 36
Policy Objects 39
Password Management 45
Corporate Credentials 49
Monitor Your Domains for Data Breaches 50
AuthPoint Resources 51
IdP Portal Resource 52
Logon App Resources 54
RD Web Resource 57
AuthPoint Gateway 58
RADIUS Client Resources 63
Firebox Resources 70
SAML Resources 72
ADFS Resource 77
RESTful API Client Resource 78
Troubleshooting 79
Additional Resources 84
About the Identity Security Essentials Exam 87
Exam Description 88

Identity Security Essentials Study Guide 3
 Sample Exam Questions 91

Identity Security Essentials Study Guide 4
 How to Use This Study Guide

How to Use This Study Guide
This guide is a resource to help you study for the Identity Security Essentials certification exam. Use this guide in
conjunction with instructor-led training, online video training and demos, and the WatchGuard Help Center
documentation to prepare to take the exam.

For a list of recommended documentation and video resources to help you prepare for the exam, see Additional
Resources.

For information about the exam content and format, see About the Identity Security Essentials Exam.

Document Conventions
This document uses these formatting conventions to highlight specific types of information:

This is a key point. It highlights or summarizes the key information in a section.

This is a note. It highlights important or useful information.

This is a best practice. It describes the recommended configuration for an AuthPoint feature.

USE CASE:

This is a use case. It describes how you could configure AuthPoint in a real-world scenario.

This is a caution. Read carefully. There is a risk that you could lose data, compromise system
integrity, or impact device performance if you do not follow instructions or recommendations.

Identity Security Essentials Study Guide 5
 AuthPoint Basics

AuthPoint Basics
The content in this section covers basic multi-factor authentication concepts that are not unique to AuthPoint, and
introduces the various AuthPoint components.

In this section, you learn about:
n Multi-factor authentication
n Authentication and authorization
n Authentication methods
n AuthPoint components
n AuthPoint management UI

Identity Security Essentials Study Guide 6
 Introduction to AuthPoint
Multi-factor authentication (MFA) is an authentication method that requires any combination of something you know
(such as a password), something you have (such as a mobile phone), and something you are (such as a fingerprint).
AuthPoint is WatchGuard's multi-factor authentication service, and includes these products:
n AuthPoint Multi-Factor Authentication
n AuthPoint Total Identity Security

With AuthPoint, you can require users to authenticate with a mobile app or third-party hardware token when they log
in to a protected resource, such as a computer, VPN, cloud service, or application.

A token is something, such as a digital signature or fingerprint, that identifies a user and
associates the user with a device. It is used in addition to, or in place of, a password when the
user logs in to a protected resource. The user activates a token on a device that is used for
authentication, such as a mobile phone. This device is then used to gain access to protected
resources that require multi-factor authentication.

Authentication and Authorization
Authentication gives administrators a way to identify the users that access resources. To authenticate, you must
provide something that proves your identity, such as a password.

Authorization is how administrators define which users are allowed access to protected resources. In AuthPoint,
groups and authentication policies control authorization.

This guide assumes that you have some familiarity with the RADIUS, LDAP, and SAML authentication protocols. For
an overview of how these protocols work, see the Authentication Basics section at the start of the Identity Security
Essentials video course.

The Identity Security Essentials video course is available in the Learning Center.

Identity Security Essentials Study Guide 7
 MFA Authentication Methods
Users install the AuthPoint mobile app on their phone. Then, when they log in to any protected online service or VPN,
they must authenticate with one of these methods:
n Push Notification — When a user logs in, AuthPoint sends a push notification to the user's mobile device. The
user approves the push notification to authenticate, or denies it to prevent an unauthorized access attempt.
n QR Code — When a user logs in, a QR code appears. The AuthPoint app uses the phone camera to scan the
QR code and displays a verification code, which the user must type to authenticate. AuthPoint uses secure
QR codes that only the AuthPoint mobile app can decrypt.
n One-Time Password (OTP) — When a user logs in, the user must provide a unique, temporary password
generated by the AuthPoint app to authenticate.

AuthPoint uses the latest MFA methods to protect your trusted resources from unauthorized access. You can choose
different authentication methods for specific user groups and applications.

AuthPoint Components
AuthPoint has several components:

AuthPoint Management UI

The AuthPoint management UI in WatchGuard Cloud is where you set up and manage users, user groups,
resources, authentication policies, policy objects, corporate applications, external identities, and the AuthPoint
Gateway. Resources are the applications that you define for use with AuthPoint. Authentication policies
specify which resources AuthPoint users can authenticate to and which authentication methods they can use.
External identities connect to user databases to get user account information and validate passwords. The
AuthPoint management UI also provides reports and audit logs to help you monitor authentication activity and
troubleshoot any issues.

You configure Dark Web Monitoring from the Administration menu in WatchGuard Cloud.

AuthPoint Mobile App

The AuthPoint mobile app is required for authentication. Before you can authenticate with AuthPoint, you must
install the AuthPoint mobile app on your mobile device and activate your WatchGuard token. You can use the
AuthPoint mobile app to view and manage your tokens, approve push notifications, get OTPs, scan QR codes,
and view and manage your saved credentials. You can also enable Token Security to protect your tokens with
a PIN or biometric ID. Before you can use your protected tokens for authentication with any method, you must
unlock them with a PIN or your biometric ID.

The AuthPoint mobile app is not required for OTP authentication with a hardware token. For
more information, see Hardware Tokens.

Identity Security Essentials Study Guide 8
 AuthPoint Browser Extensions

The AuthPoint browser extensions are used for password management. You can use the AuthPoint browser
extensions to save and manage your credentials in a personal password vault.

AuthPoint Gateway

The AuthPoint Gateway is a lightweight software application that you install on your network so that AuthPoint
can securely communicate with your RADIUS clients and LDAP databases. The Gateway operates as a
RADIUS server for RADIUS authentication, and is also used to import LDAP users and validate their
passwords.

The AuthPoint Gateway installer is available on the Downloads page in the AuthPoint management UI.

Logon App

The Logon app is used to require authentication when users log on to a computer or server. This includes
protection for RDP and RD Gateway. The Logon app is also referred to as the AuthPoint Agent for Windows or
Mac. There are two parts to the Logon app: the application you install on a computer or server and the
resource you configure in AuthPoint.

The Logon app installers are available on the Downloads page in the AuthPoint management UI.

AuthPoint Agent for ADFS
Microsoft Active Directory Federation Services (ADFS) is a Windows Server component that provides users
with authenticated access to applications.

With the AuthPoint ADFS agent, you can add MFA to ADFS for additional security. There are three parts to the
AuthPoint agent for ADFS: the agent you install, the Gateway, and the resource you configure in AuthPoint.

The ADFS agent installer is available on the Downloads page in the AuthPoint management UI.

AuthPoint Agent for RD Web

Microsoft Remote Desktop Web Access (RD Web) is a web page that shows a list of applications published
from a server. From the web page, authenticated users can launch each application. The AuthPoint agent for
RD Web adds MFA authentication to RD Web Access.

There are two parts to the AuthPoint agent for RD Web: the agent you install and the resource you configure in
AuthPoint.

The RD Web agent installer is available on the Downloads page in the AuthPoint management UI.

Identity Security Essentials Study Guide 9
 About AuthPoint Resources
In AuthPoint, resources are the applications and services that your users connect to that are protected by AuthPoint
multi-factor authentication (MFA).

AuthPoint supports these resource types:
n IdP Portal — A portal page that shows users the SAML resources available to an authenticated user.
n Logon App — The Logon app resource is used to configure and define authentication policies for the Logon
app.
n RD Web — The RD Web resource is used to add MFA to Remote Desktop Web Access (RD Web).
n Firebox — The Firebox resource is used to enable AuthPoint as an authentication server on a Firebox that has
been added to WatchGuard Cloud as a locally-managed Firebox.
n RADIUS Client — An application or service that uses RADIUS authentication (primarily firewalls and VPNs).
n SAML — An application or service that uses SAML authentication, such as Microsoft 365, Salesforce, or the
Firebox Access Portal.
n ADFS — The ADFS resource is used to add MFA to ADFS authentication.
n RESTful API Client — The RESTful API Client resource is used to configure and define authentication policies
for a RESTful API client.

To configure MFA for a resource, add the resource in AuthPoint, then configure an authentication policy for the
resource or add the resource to your existing authentication policies. Authentication policies specify which resources
require authentication and which authentication method to use (Push, QR code, OTP) when users connect to each
resource.

AuthPoint Licenses
AuthPoint is a subscription identity security service. To use AuthPoint, you must activate an AuthPoint Multi-Factor
Authentication or Total Identity Security license in your WatchGuard account. The AuthPoint license determines the
number of users you can configure to use AuthPoint for MFA. When you activate your AuthPoint license key, the user
licenses are added to your WatchGuard Cloud account.

If you are a WatchGuard Cloud Service Provider, you can allocate AuthPoint user licenses to accounts you manage
in WatchGuard Cloud.

AuthPoint Management UI
To set up and manage AuthPoint, you use the AuthPoint management UI in WatchGuard Cloud. To connect to
WatchGuard Cloud, go to cloud.watchguard.com. Log in with your WatchGuard portal credentials.

If you have a Service Provider account, you must select an account from Account Manager to configure AuthPoint for
that account.

Identity Security Essentials Study Guide 10
 Configure AuthPoint
To configure AuthPoint, select Configure > AuthPoint.

The Summary page shows tiles with a summary of your AuthPoint configuration.

To configure AuthPoint settings you can click a tile title or click a link in the navigation menu:
n Authentication Policies — Configure authentication policies to specify which resources AuthPoint users can
authenticate to and which authentication methods they can use (Push, QR code, and OTP).
n Resources — Configure the applications and services that your users connect to.
n Groups — Configure user groups.
n Policy Objects — Configure the policy objects to define specific scenarios that authentication policies apply to.
n Users — Manage AuthPoint users and tokens. You can add users directly in AuthPoint or import LDAP users
from an external authentication server.
n External Identities — Configure the information required for AuthPoint to connect to your Active Directory or
LDAP databases to get user account information and validate passwords.
n Gateway — Configure settings for the AuthPoint Gateway, a lightweight software application that you install on
your network so that AuthPoint can communicate with your RADIUS clients, the AuthPoint agent for ADFS,
and your Active Directory or LDAP database.
n Tokens — Import hardware tokens and associate them with users.
n User Inheritance — Send and manage user inheritance requests. Service Providers can request that
managed accounts inherit an AuthPoint user from the Service Provider account.
n Corporate Credentials — Configure Corporate Credentials to share a direct link to a specific website with
specific user groups.

Identity Security Essentials Study Guide 11
 The items in the AuthPoint management menu are listed in the optimal order to configure them.
We recommend you start at Resources, and work your way down through each item in the list
until your configuration is complete. Then configure authentication policies.

Monitor AuthPoint
Use AuthPoint dashboards and reports to monitor AuthPoint activity and status.

To monitor AuthPoint, select Monitor > AuthPoint.

In the Monitor section of the AuthPoint management UI, you can see these dashboards and reports:
n User Activity — A bar graph that shows how many times each active user has authenticated, the last time each
inactive user authenticated, and how and when blocked users were blocked.
n Authentication — A bar graph that shows successful and failed authentication attempts for each user. For
each attempt, a list shows the authentication date, the token that was used, the authentication method, and
the resource the user authenticated to.
n Resource Activity — A bar graph of resources that shows successful and failed authentication attempts for
each resource. For each attempt, a list shows which user authenticated, the authentication date, the token
that was used, and the authentication method.
n Denied Push Notifications — A bar graph that shows how many push notifications have been denied by users.
n Activation Activity — Shows a list of user tokens that have not yet been activated.
n Sync Activity — Shows information about the synchronization of your LDAP database, if you added an
external identity.

Audit logs and notifications, available under the Administration menu, provide additional
information about AuthPoint events that can be useful for troubleshooting.

Identity Security Essentials Study Guide 12
 Custom Branding
In WatchGuard Cloud, you can configure custom branding for AuthPoint. When you enable custom branding, you can
customize the corporate branding of AuthPoint emails and the IdP portal for your account and any accounts that you
manage.

To configure custom branding, select Administration > Branding.

You can customize these items for AuthPoint:
n Logos and images in emails sent by AuthPoint
n The reply-to email address for emails sent by AuthPoint
n The logo and thumbnail on the Set Password and Token Activation web pages
n The logo, thumbnail, and background image for the IdP portal

Identity Security Essentials Study Guide 13
 About Authentication
With AuthPoint MFA, each user installs the AuthPoint app on a mobile device, and activates a token. The user can
then use the app to authenticate with the Push, QR code, or one-time password (OTP) authentication methods.

When a user tries to log in to a resource that requires authentication, the AuthPoint single sign-on (SSO) page
appears. To log in, the user types their AuthPoint password (if required) and chooses an authentication method.

The authentication methods available depend on the authentication policies that include the
end user's groups. Some resources might require specific authentication methods, or allow
only certain methods.

When a user authenticates, the web browser creates a session and remembers the user. While the user session is
active, the user does not need to authenticate again for SAML resources, RD Web resources, or the IdP portal,
unless the resource requires a more secure authentication method.

From most secure to least secure, the authentication methods are:

1. Push notification and QR code
2. One-time password
3. Password

For example, if you use a password and an OTP to log in to the IdP portal, you can then log in without authentication
to any resource that has OTP as an allowed authentication option or that requires only a password.

The table below shows when an authenticated user must reauthenticate.

User Previously Authentication Policy
Authenticated With for Resource Authentication Action

Password Password Log in without authentication

Password Password + OTP, QR User must authenticate with OTP, QR code, or Push
code, or Push (no password required)

OTP Password or OTP Log in without authentication

OTP Password + QR code or User must authenticate again with QR code or Push
Push (no password required)

OTP OTP, QR code, or Push Log in without authentication

QR code or Push Any Log in without authentication

Identity Security Essentials Study Guide 14
 Authentication Methods
Push Authentication

For push authentication, AuthPoint sends a push notification to your phone. You can either tap Approve to
authenticate and get access to your applications, or tap Deny to prevent an access attempt that was not made
by you.

If your token is protected by Token Security, the AuthPoint app opens and prompts you to unlock your token
with a biometric ID or a PIN when you try to approve a push notification. After you validate, you can approve or
deny the push notification.

When you deny a push notification, you can choose to disable AuthPoint push notifications temporarily. You
might do this to protect yourself from push bombing or phishing attacks when you receive many spam push
notifications. Attackers send spam push notifications to get users to mistakenly approve an MFA
authentication request. When you disable push notifications, you can still authenticate with one-time
passwords and QR codes.

QR Code

A QR code is a square barcode that your phone can scan to read stored data. AuthPoint uses secure QR
codes to provide you with a verification code for authentication. Only the built-in AuthPoint app QR code
reader can decrypt AuthPoint QR codes.

RADIUS client resources cannot use the QR code authentication option.

One-Time Password

An OTP is a unique, temporary password that is only valid for a short time. OTPs are used in addition to your
normal password for authentication. On the Token Management page of the AuthPoint app, you can see the
OTP for each token and how long the OTP is valid. The OTP for protected tokens is hidden until you unlock
your tokens.

Identity Security Essentials Study Guide 15
 AuthPoint Users and Tokens

AuthPoint Users and Tokens
The content in this section covers how to manage your users and groups in AuthPoint.

In this section, you learn about:
n Software and harware tokens
n AuthPoint mobile app
n AuthPoint users and groups
n How to sync external users to AuthPoint
n How to block users and tokens

Identity Security Essentials Study Guide 16
 AuthPoint Users and Tokens

About Tokens
A token is something that contains information used to prove identity, like a digital signature or fingerprint. You
activate or install a token on a device used for authentication (known as an authenticator). You can then use this
device to gain access to protected resources that require MFA.

To confirm your identity when you authenticate, you must prove that you have possession of the authenticator, or
token, assigned to you.

AuthPoint supports two types of tokens:

Software Tokens

A software token is a token that you activate and install with the AuthPoint app on your mobile device.

When you create a user in AuthPoint, a software token is automatically created for them. The user receives an
email with instructions to download the AuthPoint mobile app and activate the token on a single mobile device.
If a user has more than one device, the user must activate a separate token for each device.

Hardware Tokens

A hardware token is a physical device with a built-in token. You can use third-party hardware tokens with
AuthPoint multi-factor authentication. To assign hardware tokens to users, you must buy supported hardware
tokens from a vendor and import the tokens to AuthPoint. For more information, see Hardware Tokens.

Each AuthPoint user can have up to 20 software tokens and any number of hardware tokens. Before a user can
authenticate with AuthPoint, they must have at least one active hardware or software token.

Identity Security Essentials Study Guide 17
 AuthPoint Mobile App
The AuthPoint mobile app supports the Push, QR code, and OTP authentication methods.

For OTP authentication, you can use a hardware token instead of the AuthPoint mobile app.
For information about hardware tokens, see Hardware Tokens.

To get started, users must install the AuthPoint mobile app on a mobile device and activate an AuthPoint token.

From the AuthPoint mobile app users can:
n Authenticate with MFA:
o Approve a push notification

o Check for pending push notifications
o Get a one-time password (OTP)
o Scan a QR code
o Migrate tokens to a new device
n View and manage tokens:
o Activate a token

o See token details
o Resynchronize a token
o Protect a token with a PIN or biometric ID
n View and manage saved credentials in the password vault

The AuthPoint mobile app can contain multiple AuthPoint tokens, and also supports third-party tokens.

If a user has more than one mobile device, the user must activate a unique token for each device.

Identity Security Essentials Study Guide 18
 Token Activation
To activate a token, users must download and install the WatchGuard AuthPoint mobile app on a mobile device.
There are two ways for users to activate a token on their mobile device:
n Click the link in the token activation email they receive when their AuthPoint user account is created.
n Navigate to the IdP portal and click the Activate Token link on the authentication page.

Use Case:

Users might choose to activate their token from the authentication page if they do not receive the
Activation email or if MFA is required for their email account.

The link in the activation email opens a web page with instructions to activate the token.

The token activation web page

The link on the authentication page opens a window with a QR code that you scan to activate the token.

The Activate Token link on the authentication web page.

Identity Security Essentials Study Guide 19
 After users activate their token, they are prompted to set the name and display image for the token. This is optional,
but it makes each token easier to identify if you activate more than one token.

The activated token appears in the AuthPoint mobile app. By default, the token name contains the last five digits of
the token serial number.

An active token in the AuthPoint mobile app

The six-digit number below the token name is the one-time password (OTP). The red bar below the OTP indicates the
amount of time the OTP is valid.

Authentication with the AuthPoint Mobile App
When AuthPoint users log in to a computer or resource that requires MFA, they type a password, and then use the
AuthPoint mobile app to complete a second authentication method.

Users can use the mobile app to authenticate with these methods:

Push
With the Push authentication method, a push notification appears in the AuthPoint app. To authenticate, in the
AuthPoint app, tap Approve.

QR Code
With the QR Code authentication method, a QR code appears on the login page. To authenticate, in the
AuthPoint app, tap and scan the QR code from the screen.

One-Time Password (OTP)
With the OTP authentication method, the user must type a one-time password. In the AuthPoint app, the
OTP is the six-digit code that appears below the token. To authenticate, type the current token OTP on the
login page.

Identity Security Essentials Study Guide 20
 For RADIUS authentication, append the OTP to the end of your password. Do not add a
space.

Authentication without the AuthPoint Mobile App
If users forget their mobile device at home, or do not have access to it for some other reason, you can use the Forgot
Token feature to allow the user to log in without their mobile device for a specific amount of time.

The Forgot Token feature disables multi-factor authentication for a specific user for a specific amount of time. For the
amount of time you specify, the user is not required to authenticate with their mobile device to log in. When they log in,
they are only required to type their user name and password.

If a user does not have access to their phone because it has been lost or stolen, we recommend
that you block their token(s).

Here is an overview of the process to enable the Forgot Token feature for a user:

1. A user forgets or misplaces the mobile device they use for authentication. They must contact their AuthPoint
administrator.
2. The user provides the AuthPoint administrator with the Activation Code value shown in the Forgot Token
window.
3. The AuthPoint administrator provides the user with a Period value and a Verification Code.
4. The user types their password and validates the Period and Verification Code. Once validated, the user can
log in with their password.

Token Management
In the menu for each token, the user can select these options:
n Edit Token — Edits the token image and name.
n Show Token Details — Shows the token serial number and other token information. This can be useful
information for troubleshooting.
n Sync Token — Synchronizes the token time stamp with the AuthPoint cloud server.
n Migrate Token — Removes the token from this device and sends an activation email so that you can activate
the token on another device.
n Delete Token — Removes the token from the AuthPoint mobile app.

Identity Security Essentials Study Guide 21
 Users can open the menu and select Migrate All Tokens to migrate all of their tokens at
once. For each token, users receive an activation email they can use to activate that token on
a new device.

Token Security

We recommend users enable token security for additional protection in case another person gets
access to the mobile device. Users must enable token security to log in to their password vault in
the AuthPoint mobile app.

Users can enable token security from the menu in the AuthPoint mobile app. The token security options are:

PIN Protection
PIN protection is the primary token security method. You create one PIN and select which tokens to protect
with that PIN. When you enable PIN protection, you must type your PIN before you can authenticate with the
protected tokens.

Biometric Protection
Biometric protection is another method to unlock tokens that have PIN protection enabled. When you enable
biometric protection, you can use a biometric identifier, such as a fingerprint or your face, to unlock any
protected token without the PIN.

If token security is enabled for one or more tokens, you must validate your PIN or use a biometric ID (if enabled) to
unlock a token for authentication or make any changes to the token security settings.

Third-Party Tokens
The AuthPoint mobile app also supports third-party software tokens, such as tokens compatible with Google
Authenticator, for authentication to personal services and applications.

When you set up two-factor or multi-factor authentication with a third-party service, use the AuthPoint QR code
reader to activate a software token in the AuthPoint mobile app. If the third-party service does not provide a QR code,
you can select Manually Activate Token in the AuthPoint mobile app, and then type the token key.

Third-party software tokens that you activate in the AuthPoint app are separate from your WatchGuard tokens. You
can still use your third-party tokens for authentication even if your AuthPoint user account is blocked.

Identity Security Essentials Study Guide 22
 Hardware Tokens
In addition to software tokens, AuthPoint supports hardware tokens for authentication with an OTP. A hardware token
is a physical device with a built-in token.

To use third-party hardware tokens with AuthPoint multi-factor authentication, you must:
n Buy supported hardware tokens from a vendor.
n Import hardware tokens to AuthPoint.
n Assign hardware tokens to users.
n Activate hardware tokens.

Each AuthPoint user can have up to 20 software tokens and any number of hardware tokens.

Third-party hardware token requirements:
n Response Format — Six-digit time-based OTP that includes only numbers with a 30 or 60 second time interval
n Algorithm — OATH time-based OTP (RFC 6238)
n Seed Delivery — OATH PSKC file (RFC 6030)

Manage Hardware Tokens
When you import third-party hardware tokens into AuthPoint, you must upload the seed file and provide a key.
n Seed File — The seed file is a Portable Symmetric Key Container (PSKC) file that is used to import hardware
token information into AuthPoint. This file contains device information for each hardware token. The supported
file types for a seed file are.XML,.PSKC,.TXT, and.VIP.
n Key — The key is used to decrypt the seed file so AuthPoint can validate the one-time passwords (OTPs) that
the hardware tokens generate. The key can be a string of characters that you type in AuthPoint or a file that
you upload. The supported file types for a key file are.TXT and.BIN. You receive the seed file and key from
your hardware token vendor.

WatchGuard hardware tokens are automatically associated with your account, so you do not
need a seed file.

After you import hardware tokens, you must assign each token to an AuthPoint user, and then activate the token.

Identity Security Essentials Study Guide 23
 Authenticate with a Hardware Token
You can use hardware tokens to authenticate with an OTP. You authenticate with hardware tokens the same way you
authenticate with the software tokens on your mobile device. When you log in to a resource that requires
authentication, select the option to authenticate with OTP and type the OTP shown on your hardware token.

Identity Security Essentials Study Guide 24
 AuthPoint Groups and Users
AuthPoint groups define the authentication requirements for user access to AuthPoint resources.

In the AuthPoint management UI, use these pages to manage groups and users:

Groups page — Manage AuthPoint groups
Add local AuthPoint user groups and see the external groups you have imported from Active Directory and
Azure Active Directory. In AuthPoint, groups define which resources your users have access to.

Users page — Manage AuthPoint users and tokens
Add and edit local AuthPoint users, and see imported users. Manage tokens for all AuthPoint users.

External Identities page — Synchronize users and groups from an external database
Import users from Azure Active Directory, Active Directory, or an LDAP database, and assign those users to
an AuthPoint group.

You must add at least one AuthPoint group before you add or import users. Users can belong
to any number of groups in AuthPoint.

Identity Security Essentials Study Guide 25
 Groups
In AuthPoint, groups define which resources your users have access to and which Corporate Credentials are shared
with them. You add users to groups in AuthPoint, then you add the groups to the authentication policies that specify
which resources users can authenticate to.

You can create local groups in AuthPoint and you can import external groups from Active Directory and Azure Active
Directory when you configure a group sync for an external identity.

When you add a group in AuthPoint, you specify these settings:
n Group name
n Description

Users
For a user to use AuthPoint, you must create an AuthPoint user in your account and select the group the user belongs
to. Each AuthPoint user account requires one AuthPoint user license. When you add a user, the user is assigned a
token. The user receives an email with instructions to activate the token in the AuthPoint app.

Each user must be a member of an AuthPoint group. For this reason, you must add at least one
group before you can add users to AuthPoint.

There are two ways to add AuthPoint user accounts:
n Add local AuthPoint users manually
n Synchronize users from an external user database

Identity Security Essentials Study Guide 26
 When you add or sync user accounts, you choose whether to have AuthPoint create mobile tokens for the new user
accounts and send email messages to the users to activate their mobile tokens. AuthPoint does this by default. In
most cases, we recommend that you assign a token to users and send them the Token Activation email. User
accounts need a token to authenticate with AuthPoint. You might choose not to do this for users that use hardware
tokens for authentication, or for service accounts that bypass MFA with basic authentication.

Add Local AuthPoint Users Manually
You can add local AuthPoint users on the Users page in the AuthPoint management UI.

Because you can create only one user at a time, you most commonly add users manually
when you want to create test users or need to add only a small number of users.

Unlike users synchronized from an external Active Directory or an LDAP database, users that you create manually in
AuthPoint define and manage their own AuthPoint password.

When you manually create a user account, AuthPoint sends the end user two emails:
n An email to set their AuthPoint password
n An email to activate their AuthPoint token

From the Users page, you can also resend these emails, if needed.

Sync Users from an External User Database
You can synchronize users from an Active Directory or a Lightweight Directory Access Protocol (LDAP) database.
This is a quick way to add users already defined on your network. AuthPoint integrates with your domain controller to
keep the user accounts in sync.

Diagram of LDAP user import, and authentication workflow.

Identity Security Essentials Study Guide 27
 To configure AuthPoint to synchronize users from an Active Directory, Azure Active Directory, or LDAP database, you
must add an external identity and create one or more queries:

External identity
An external identity specifies settings required for AuthPoint to connect to an external user database. There
are two types of external identities:
n LDAP — The Lightweight Directory Access Protocol (LDAP) external identity type syncs users from Active
Directory or an LDAP database. For AuthPoint to connect to an LDAP external identity, you must link the
external identity to an AuthPoint Gateway.
n Azure AD — The Azure AD external identity type syncs users from Azure AD. This type of external identity
does not require the AuthPoint Gateway.

Queries
For each external identity, queries specify which users to sync. AuthPoint uses the queries to request user
information from the external user database and create AuthPoint users for the users that match the query. For
each LDAP query, you specify which AuthPoint group you want the users to be a member of.

AuthPoint does not store user passwords for synchronized users. When a synchronized user
authenticates, AuthPoint sends the LDAP credentials to the domain controller for validation.
After the domain controller validates the credentials, AuthPoint handles any other
authentication options specified in the access policy for the user group.

To synchronize users from Active Directory or an LDAP database, you must link the LDAP external identity to an
AuthPoint Gateway. You must install the AuthPoint Gateway on your corporate network in a location that has Internet
access and that can connect to your LDAP server.

The AuthPoint Gateway connects to a domain controller to import users from an Active Directory or LDAP database.
The AuthPoint Gateway is also required to validate user credentials when users authenticate.

For more information about Gateway configuration, see AuthPoint Gateway.

Azure Active Directory does not require the AuthPoint Gateway.

Identity Security Essentials Study Guide 28
 For each external identity you can add queries, check the connection, or start a manual synchronization.

Before you can sync Active Directory or LDAP users, you must link the LDAP external identity to
an AuthPoint Gateway. You must install the AuthPoint Gateway on your corporate network in a
location that has Internet access and that can connect to your LDAP server.

There are two query types:
n Group Sync — Select the LDAP groups you want to sync users from. AuthPoint creates the query for you
based on the group you choose. This is the simpler option, and is recommended.
n Advanced Query — Create your own LDAP queries to specify which groups or users to sync.

Identity Security Essentials Study Guide 29
 When you configure a group sync to sync users from Active Directory or Azure Active Directory, you can enable the
Create new synchronized groups option to create new groups in AuthPoint based on the Active Directory or Azure
Active Directory groups that you sync users from. If you enable this option, users sync to the new groups based on
group membership in the LDAP database, in addition to the selected AuthPoint group.

This option is only available for Active Directory and Azure Active Directory.

You can add multiple queries. To add a query or to see the list of configured queries, select the query type.

Before you sync users, make sure that each user in your external user database has a valid email
address. Users must have an email address so that AuthPoint can send a token activation email.
LDAP users without a user name, first name, or email address are not included in the
synchronization.

Identity Security Essentials Study Guide 30
 After you add a query to find your users, AuthPoint syncs with your Active Directory, Azure Active Directory, or LDAP
database at the next synchronization interval and creates an AuthPoint user account for each user identified by the
query. From the External Identities page, you can also manually start a synchronization. On the Users page, you can
identify users synced from an external identity by the label in the Type column..

If you enabled the option to synchronize external groups to AuthPoint, the synced groups are created in AuthPoint.
Users sync to the new groups based on group membership in the LDAP database, in addition to the selected
AuthPoint group.

The newly created groups appear on the Groups page. On the Groups page, you can identify synced groups by the
label in the Type column.

You manage the external groups in your external user database. If you change name of a synced group in Active
Directory or Azure Active Directory, the synced group in AuthPoint will be updated to match. You cannot edit the
synced groups in AuthPoint. You can only delete them.

Identity Security Essentials Study Guide 31
 Monitor User and Token Status
On the Users page you can see your AuthPoint users and the details for each user account.

The User Name column shows the status of the user account:

User Status Definition

Activated The user account is activated and can authenticate with any active tokens.

Quarantined The LDAP synced user account cannot authenticate because the LDAP user was moved or
deleted, the external identity was deleted, or other domain information was changed.
Quarantined users cannot log in to their password vault.

Blocked The user cannot authenticate to any AuthPoint protected resources and cannot log in to their
password vault. The user can still use third-party tokens, such as Google Authenticator, to
authenticate to third-party resources that are not protected by AuthPoint.

The Token column shows the status of the user's tokens:

Token
Status Definition

Pending The user has not activated the token.

Activated The user has activated the token and can use it for authentication.

Blocked The token is blocked and the user cannot authenticate with that token. The user can still use other
active WatchGuard tokens, if they have any, to authenticate.

Identity Security Essentials Study Guide 32
 Block Users and Tokens
A user must have an active token to authenticate or log in to their password vault. Each active token is associated
with a specific device. On the Users page, you can manage your AuthPoint users and the tokens assigned to them.

There are two ways to prevent authentication:

Block a User
Block a user to prevent authentication with any of the user's WatchGuard tokens on any mobile device. A
blocked user cannot cannot log in to their password vault. A blocked user can still use their third-party tokens,
such as Google Authenticator, to authenticate with third-party resources.

USE CASE:

A user leaves your organization or their user account has been compromised in some way. To block
authentication with any WatchGuard token for that user, you can block the user.

Block a Token
Block a token to prevent user authentication with a specific token. While a token is blocked, the user can still
authenticate with other active tokens. A user must have at least one active token in the AuthPoint mobile app
to log in to their password vault on that device.

USE CASE:

A user loses their phone. To block authentication from that device, you can block the token activated for
that device. If the user has an active token on another device, the user can still authenticate with the
other active token. If the user finds their phone, you can activate the token so the user can use it again
from that device.

Identity Security Essentials Study Guide 33
 Quarantined Users
If you move or delete a user account in your LDAP database, the linked AuthPoint user account is marked
Quarantined. In the Users list, Quarantined user accounts display a yellow icon next to their user name.

AuthPoint quarantines user accounts if the External Identity was deleted or other domain
information changed.

Users with quarantined user accounts cannot authenticate until you restore or move them back to the original location
in the LDAP database. If you moved or deleted the user account intentionally, the quarantined account remains in
AuthPoint until you delete it in AuthPoint.

To delete an LDAP user in AuthPoint, the best practice is to enable the Quarantined Users
Cleanup feature on the Settings page. This feature automatically deletes LDAP synced users with
the Quarantined status.

Identity Security Essentials Study Guide 34
 AuthPoint Authentication

AuthPoint Authentication
The content in this section covers AuthPoint authentication. You will learn about authentication policies and policy
objects, as well as information about the AuthPoint password manager and supporting features such as corporate
credentials.

In this section, you learn about:
n AuthPoint authentication policies
n AuthPoint policy objects
n Policy precedence
n Password management
n Corporate credentials
n Dark Web Monitor

Identity Security Essentials Study Guide 35
 AuthPoint Authentication

Authentication Policies
Authentication policies specify which resources AuthPoint users can authenticate to and which authentication
methods they can use (Push, QR code, and OTP). A user who is not a member of a group that has an authentication
policy for a specific resource cannot authenticate to log in to that resource.

Authentication policies must apply to at least one group. For this reason, you must add at least
one AuthPoint group before you can create authentication policies.

When you configure an authentication policy, you specify:
n Whether the policy allows or denies authentications.
n Which authentication methods are required.
n Which resources the policy applies to.
n Which user groups the policy applies to.
n Which policy objects apply to the authentications.

Identity Security Essentials Study Guide 36
 AuthPoint Authentication

In each authentication policy, you specify whether the policy allows or denies authentications. If you require MFA for
the policy, you choose whether to require a password, and select allowed authentication options.

Authentication options for an authentication policy.

If you select more than one authentication option for a resource, users must choose one of the available options when
they authenticate to that resource. For example, if you select OTP and Push, users can either type their OTP or
approve a push to authenticate, but you cannot require that they do both.

For RADIUS authentication, if you enable the push and OTP authentication methods for a policy, RADIUS resources
associated with that policy use push notifications to authenticate users.

RADIUS resources do not support QR code authentication.

RADIUS client resources that use MS-CHAPv2 only support the Push authentication
method.

Policy Precedence
Precedence is how AuthPoint determines which authentication policy to use when multiple policies could apply to a
user authentication. When two policies conflict, the order of your authentication policies determines which policy
applies. To determine whether a user can access a resource and how they authenticate, AuthPoint uses the highest
policy in the list that matches the conditions of the authentication.

The conditions of the authentication include:
n The resource the user authenticates to.
n The AuthPoint groups the user is a member of.
n The user's IP address (for network locations).

Identity Security Essentials Study Guide 37
 AuthPoint Authentication

n The time of the authentication (for time schedules).
n The location of the user (for geofence and geokinetics).

When you add a policy object to an authentication policy, the policy only applies to user authentications that match
the conditions of the authentication and the policy objects. For example, policies with network locations only apply to
user authentications that originate from that network location. If the authentication request does not contain the origin
IP address, the policy does not apply.

In the example above, if a user is a member of both the Support group and the Sales group, the policies for their
groups conflict.
n The Support policy requires a password and an OTP to log in to Salesforce.
n The General policy requires a password and a push to log in to Salesforce.

In this example, when a user who is a member of both the Support group and the Sales group logs in to Salesforce,
the Support policy applies because it is the highest policy that matches the conditions of the authentication.

To change the order of policies in the list, you can:
n Drag a policy to move it.
n Type a number in the Order column.

Identity Security Essentials Study Guide 38
 AuthPoint Authentication

Policy Objects
Policy objects are the individually configurable components of a policy, such as network locations, that enable you to
define specific scenarios that authentication policies apply to. You configure policy objects and then add them to
authentication policies.

You can configure these types of policy objects:
n Network locations
n Time schedules
n Geofences
n Geokinetics

When you add a policy object to an authentication policy, the policy only applies to user authentications that match
the conditions of the authentication and the policy objects. For example, if you add a specific network location to a
policy, the policy only applies to user authentications that come from that network location.

We recommend that you create a second policy for the same groups and resources without the policy object. Users
who only have a policy that includes a policy object do not get access to the resource when the conditions of the
policy object do not apply to the authentication (because they do not have a policy that applies, not because
authentication is denied).
n Users who only have a policy that includes a network location do not get access to the resource when they
authenticate outside of that network location.
n Users who only have a policy that includes a time schedule do not get access when they authenticate outside
the hours of that time schedule.
n Users who only have a policy to allow access that includes a geofence do not get access to the resource when
they authenticate outside of the specified countries.

If you have two policies (one with a policy object and one without), assign a higher priority to the policy with the policy
object.

Geokinetics policy objects work differently than other policy objects because they apply after
an authentication is complete. Geokinetics do not affect the conditions of an authentication,
so when you add a geokinetics policy object to an authentication policy, you do not have to
create a second policy without the geokinetics policy object.

Network Location Policy Objects
Network location policy objects enable you to configure a list of IP addresses. You can then configure specific
authentication policies that only apply when users authenticate from these IP addresses. For example, you might
create a network location for your organization's corporate office.

Identity Security Essentials Study Guide 39
 AuthPoint Authentication

When you add a network location to an authentication policy, the policy only applies to user authentications that come
from that network location.

USE CASE:

To allow users to log in without MFA when they are in the office, you create a network location for your
organization's corporate office and add it to a new authentication policy that only requires password
authentication.

Users who only have a policy that includes a network location cannot get access to the resource when they
authenticate outside of that network location (because they do not have a policy that applies, not because
authentication is denied).

Network locations require an Internet connection. For RADIUS authentication and basic authentication (ECP),
AuthPoint does not apply policies that include a network location because AuthPoint cannot determine the IP address
of the end user or the origin IP address.

For Remote Desktop Protocol (RDP) connections, AuthPoint uses the IP address that connects to port 3389 or port
443 to determine if the authentication comes from a network location. If you configure RDP to use a port other than
3389 or 443, AuthPoint cannot identify the IP address of the end user. In this scenario, policies with a network
location do not apply to the authentication.

Time Schedule Policy Objects
Time schedule policy objects enable you to specify the dates and times when authentication policies apply to user
authentications. You might configure a time schedule policy object if you want to:
n Allow authentication only during specified times, such as work hours.
n Restrict authentication during specific times, such as non-work hours and holidays.
n Enforce different authentication requirements at different times.
n Use a safe network location to allow users to bypass MFA when they authenticate from the office, but only
during specified times, such as work hours.

USE CASE:

To allow users to log in without MFA during the workday, you create a time schedule for your
organization’s work hours and add it to a new authentication policy that only requires password
authentication.

When you add a time schedule to an authentication policy, the policy only applies when a user authenticates during
the specified time schedule. Users who only have a policy that includes a time schedule cannot get access to the
resource when they authenticate outside the hours of that time schedule.

Identity Security Essentials Study Guide 40
 AuthPoint Authentication

AuthPoint does not dynamically adjust for daylight saving time. When you configure a time
schedule, you must select the Adjust for daylight saving time check box when daylight
saving time applies, and clear the check box when daylight saving time does not apply.

Geofence Policy Objects
The geofence policy object enables you to specify a list of countries, and then configure authentication policies that
only apply when users authenticate from those countries. You might do this if you want to enforce different MFA
requirements for different locations, or if you want to block authentication from specific countries.

USE CASE:

To enforce stricter MFA requirements when users log in from Canada, you create a geofence for Canada
and add it to a new authentication policy that requires push and password authentication.

When you add a geofence to an authentication policy, the policy only applies to user authentications that come from a
country specified in the geofence policy object. Users who only have a policy to allow access that includes a geofence
cannot get access to the resource when they authenticate outside of the specified countries (because they do not
have a policy that applies, not because authentication is denied).

To support authentication with the geofence policy object, you must install these versions of the AuthPoint agents:
n AuthPoint agent for Windows v2.7.1 or higher
n AuthPoint agent for RD Web v1.4.2 or higher
n AuthPoint agent for ADFS v1.2.0 or higher

The AuthPoint agent for ADFS only supports geofence policy objects if you use the custom
WG ADFS theme or another custom ADFS theme. You cannot use the default ADFS theme.

To support the geofence policy object for RD Web, you must edit the webscripts-domain.js
file on your RD Web Access server and configure the client to save the user location as a
cookie on the RD Web server. This enables RD Web to send the user’s coordinates to
AuthPoint when the user authenticates.

Identity Security Essentials Study Guide 41
 AuthPoint Authentication

These resources do not support geofence:
n AuthPoint agent for macOS
n RADIUS

For RADIUS authentication, policies that include a geofence policy object do not apply
because AuthPoint cannot determine the IP address of the end user or the origin IP address.

Geokinetics Policy Objects
The geokinetics policy object enables you to create policy objects that compare the user's current location and the
location of their last valid authentication. AuthPoint automatically denies authentications from a location the user
could not have travelled to since their previous authentication, based on the distance and time between
authentications.

When you create a geokinetics policy object, you specify the maximum travel speed that is allowed.

USE CASE:

An attacker from another country has obtained a user’s login credentials and attempts to log in to a
protected resource that is protected by MFA. The attacker uses social engineering or push bombing to
get the user to approve the push notification. With geokinetics, even if the user approves the push,
AuthPoint denies the authentication if the attacker is in a location that the user could not have travelled to
in the time since they last authenticated.

Geokinetics policy objects work differently than other policy objects because they apply after an authentication is
complete.

For other policy objects (geofence, time schedule, network locations), when you add the policy object to an
authentication policy, the policy applies only to user authentications that match the conditions of the authentication
and the policy objects. For example, if you add a specific network location to a policy, the policy applies only to user
authentications that come from that network location.

Geokinetics do not affect the conditions of an authentication, so when you add a geokinetics policy object to an
authentication policy, you do not have to create a second policy without the geokinetics policy object.

To support authentication with the geokinetics policy object, you must install these versions of the AuthPoint agents:
n AuthPoint agent for Windows v2.7.1 or higher
n AuthPoint agent for RD Web v1.4.2 or higher
n AuthPoint agent for ADFS v1.2.0 or higher

Identity Security Essentials Study Guide 42
 AuthPoint Authentication

To support the geokinetics policy object for RD Web, you must edit the webscripts-domain.js
file on your RD Web Access server and configure the client to save the user location as a
cookie on the RD Web server. This enables RD Web to send the user’s coordinates to
AuthPoint when the user authenticates.

These resources do not support geokinetics:
n AuthPoint agent for macOS
n RADIUS

For RADIUS authentication, policies that include a geokinetics policy object do not apply
because AuthPoint cannot determine the IP address of the end user or the origin IP address.

Location Data for Geofence and Geokinetics Policy Objects
When a user authenticates, location data identifies the area that the user is authenticating from. When you configure
a geofence or geokinetics policy object, you can choose to allow location data with low accuracy. User locations
identified from low accuracy data have a larger radius. For example, high accuracy location data might be accurate to
within 10 meters of the actual location of the user, but low accuracy location data might only be accurate to within a
kilometer of the actual location.

For browser-based authentication, when a user authenticates the browser prompts them to share their location. If the
user accepts, the browser sends the geographical coordinates of the user location to AuthPoint. AuthPoint associates
the coordinates with a country and uses this information to determine which policies apply to the authentication. This
is high accuracy location data.

If the user does not accept the prompt to share their location, their location will be based on the IP address. AuthPoint
considers location data based on IP address to be low accuracy.

These resources use browser-based location data:
n IdP portal
n SAML
n RD Web
n ADFS

AuthPoint supports location data based on the IP address for these types of authentication only:
n RDP connections
n Firebox resources
n Windows virtual machines (VMs)

Identity Security Essentials Study Guide 43
 AuthPoint Authentication

The AuthPoint agent for Windows uses the Windows API to get the location of the user. If the
agent is installed on a Windows VM, the location data is always based on the IP address (low
accuracy).

Identity Security Essentials Study Guide 44
 AuthPoint Authentication

Password Management
With AuthPoint password management, you can save your login credentials in a personal password vault that is
available from the AuthPoint mobile app and the AuthPoint browser extension. With this feature, the only password
you have to remember is the password to your vault, and you can use the AuthPoint app and browser extension to
autofill your credentials when you log in.

From the password manager, you can:
n See and manage the passwords in your vault
o Add passwords to your vault

o Import and export existing passwords to your vault
o Generate a new password
o Share a password
n Manage your password vault
o Synchronize your password vault

o Evaluate the security of your passwords
o Manage sites that autofill credentials
o Manage password vault sessions
o Reset your vault password

If you have multiple AuthPoint user accounts, each user account has a separate password vault. In the AuthPoint
mobile app, you can only use the password vaults for AuthPoint user accounts that have an active token on the
mobile device.

To access your vault in the browser extension, you must first authenticate to the IdP portal or a SAML resource.

If your AuthPoint user account is blocked or deleted, you cannot access your password vault.

When You First Log In
The first time you log in to the password manager, you must create a vault password to protect your password vault.
The vault password is a unique password that you require to log in to the password manager from the mobile app and
browser extension. The vault password is separate from your AuthPoint password.

After you create a vault password, you receive a recovery key that you can use to recover your data if you forget your
vault password. You cannot reset your password without the recovery key.

Identity Security Essentials Study Guide 45
 AuthPoint Authentication

See and Manage Your Passwords
On the Passwords page, you can see and manage the passwords in your password vault. Your password vault
displays your Private passwords and your Corporate passwords separately. This helps you organize your passwords.
When you add a password, you choose which list the password is shown in.

Click on a password to open that website and log in with the credentials saved in your vault.

You can use the generate password feature to quickly generate secure new passwords. You can specify length and
character requirements for the generated password. Generated passwords are more secure because they consist of
a random string of characters, which is difficult for attackers to guess.

When you edit a password, you can see the date the password was created and the date the
password was last updated.

Sometimes, you might not see all passwords if you add or edit a password in your password vault on one device, and
then open your password vault on another device. If you do not see all your passwords in your password vault,
synchronize your account.

Import and Export Existing Passwords to Your Vault
To save time, you can import saved credentials from third-party password managers, such as Google Chrome, into
your AuthPoint password vault. You can also export the passwords from your Private AuthPoint password vault to a.CSV file. You might do this if you leave your company and want to save your personal passwords.

If your AuthPoint user account is blocked or deleted, you cannot access your password vault or export your
passwords. If your AuthPoint user account is deleted, your password vault is also deleted.

Share a Password
You can share a password in your vault with other users from your company. You might do this if you have a shared
account that is used by multiple people, such as a social media account.

You can only share passwords from your Corporate vault. You cannot share passwords from
your Private vault.

Identity Security Essentials Study Guide 46
 AuthPoint Authentication

When you share a password, the users you share the password with must accept the invitation. Users that accept the
shared credentials see the password in their vault and the Sharing Center. The Sharing Center is a page in your
password vault where can you see and manage the passwords that you have shared with other users, and the
passwords that other users have shared with you.

If users reject a shared password request, the password is not added to their vault. You do not receive notifications
when users accept or reject a shared password request.

Users that receive a shared password cannot make changes to the shared password. If the
owner of the password makes changes, the password automatically updates for all users that
it is shared with.

When you share a password, be aware of these requirements:
n You can share passwords with only users who have an active AuthPoint user account with your company, and
have logged in to their password vault at least once.
n You must have an Internet connection to share a password.
n You cannot share passwords that have been shared with you.

You can choose to no longer share a password at any time. When you stop sharing a password with a user,
AuthPoint immediately removes it from their password vault.

Evaluate the Security of Your Passwords
Use the Security Report feature to evaluate the strength of your passwords. In the password manager, the Security
Report page shows you this information:
n Leaked Passwords — The number of passwords you use that have been exposed in a data breach.
n Weak Passwords — The number of passwords you have that are not considered complex. These passwords
are easy to guess or vulnerable to brute force attacks.
n Duplicate Passwords — The number of passwords that you use for more than one account. Using the same
password for multiple accounts leaves you more vulnerable.
n Old Passwords — The number of passwords that you have not changed in a long time. We recommend that
you change your passwords periodically for each account.

You can tap on a report item to see more information. You can also tap Start a leaked password check to learn if any
of your passwords have been compromised in a known data breach.

The leaked passwords check includes passwords that have been exposed directly and indirectly. For example, if you
have an account with the password asdf1234, and another person's account with that same password was part of a
data breach, your account is also considered leaked.

Identity Security Essentials Study Guide 47
 AuthPoint Authentication

Manage Password Vault Sessions
The Manage Sessions feature enables you to remotely end specific password manager browser and app sessions to
protect your data and prevent access to your password vault by unauthorized users.

When you end a session, that session logs out of the password vault immediately and you must authenticate with
your user name and vault password to log in again. You can also choose to log out from all websites, close all open
tabs, and delete the browsing history for that browser session. You might do this if you forget to log out of your
password vault on a shared device.

When you view a specific session, you can see this information:
n Device type
n Device OS
n IP address
n Approximate location of the device (based on the IP address)

Manage Sites that Autofill Credentials
Excluded sites are websites that AuthPoint does not store or autofill credentials for. You might configure this if you do
not want to be prompted to save your password for a specific website. You can see and manage your excluded sites
from the Excluded Sites page in the AuthPoint browser extension. This feature is not available in the AuthPoint
mobile app.

Manage Unique Sites
If you have different accounts for multiple subdomains of a website, such as admin.example.com and
mail.example.com or example.com/admin and example.com/mail, you can set each subdomain as a unique site to
keep the credentials separate in your password vault.

You can see and manage your unique sites from the Unique Sites page in the AuthPoint browser extension. This
feature is not available in the AuthPoint mobile app.

Identity Security Essentials Study Guide 48
 AuthPoint Authentication

Corporate Credentials
You can create Corporate Credentials to share a direct link to a specific website with specific user groups. You might
do this for websites or applications that do not support SAML or that are not managed by your company. For example,
you might create Corporate Credentials to provide users with a link in the IdP portal to the website they use to
manage their 401k accounts.

When you create Corporate Credentials, you can choose to share the login credentials for that website or account.
For example, you might share the credentials to a corporate social media account with your marketing team.

Corporate Credentials are available in the IdP portal for users who are members of the groups that the Corporate
Credential is shared with. If you choose to share login credentials, the Corporate Credentials are also available in the
password vault.

If you choose to share login credentials, each user must accept the shared Corporate
Credentials in the password manager.

Identity Security Essentials Study Guide 49
 AuthPoint Authentication

Monitor Your Domains for Data Breaches
A data breach is the intentional or unintentional release of secure or confidential information to an untrusted
environment such as the dark web. AuthPoint Total Identity Security includes a Dark Web Monitor service to help you
monitor and protect your domains.

With the Dark Web Monitor service, WatchGuard actively monitors data breaches for up to three of your domains. If a
data breach is found to include your email addresses and domains, you receive a notification.

When you add a domain, you must select one of these email addresses for authorization requests:
n security@
n webmaster@
n postmaster@
n hostmaster@

To make sure that you own the domain, WatchGuard sends an authorization request to the selected email address.
You cannot specify a custom email address for authorization requests. If you do not have any of these email
addresses for the domain, you must create one.

If you update your domain in WatchGuard Cloud, you receive and must approve another authorization request before
the changes take effect.

Identity Security Essentials Study Guide 50
 AuthPoint Resources

AuthPoint Resources
The content in this section covers how to set up and configure AuthPoint multi-factor authentication to protect the
applications and services that your users connect to. You will learn about the AuthPoint Gateway and each type of
AuthPoint resource.

In this section, you learn about:
n IdP portal resource configuration
n Logon app configuration
n RD Web
n AuthPoint Gateway
n RADIUS communication
n RADIUS client resources
n SAML resource configuration
n SAML applications
n ADFS

Identity Security Essentials Study Guide 51
 AuthPoint Resources

IdP Portal Resource
The AuthPoint Identity Provider (IdP) portal is a page that shows users a list of SAML resources and Corporate
Credentials available to them. To configure the IdP portal, you add an IdP resource, and then assign it to one or more
user groups. When users log in to the IdP portal, they see the SAML resources and Corporate Credentials they have
access to. Users can click an application to open it in a new tab.

Corporate Credentials with shared login credentials are also available in the password vault.

Example of an IdP portal with SAML resources.

Users authenticate to the IdP portal. When the user selects a resource, AuthPoint sends the credentials
automatically. If a SAML resource requires a different authentication method than the method used for authentication
to the IdP portal, the user must complete the additional authentication step to access the resource.

Identity Security Essentials Study Guide 52
 AuthPoint Resources

Diagram of authentication flow for the IdP Portal resource.

You can configure only one IdP portal resource. Add an authentication policy for the IdP Portal resource to one or
more user groups. Users in those groups can then log in to the IdP portal to connect to applications available to them.

Manually created AuthPoint users can change their passwords on the IdP portal page. User accounts synced from an
Active Directory or LDAP database cannot reset or change their own passwords.

Users can also navigate to the IdP portal to:
n Activate a software token.
n Activate the Forgot Token feature.

These options are available on the authentication page, which opens when users log in to a protected resource that
uses SAML authentication, such as the IdP portal. It is where users choose an authentication method.

The option to activate a token is only available when users have a pending token that they
have not activated.

Identity Security Essentials Study Guide 53
 AuthPoint Resources

Logon App Resources
The Logon app is used to require authentication when users log on to a computer or server. This includes protection
for RDP and RD Gateway. In the logon screen, users must type their password or authenticate with Windows Hello
and then select one of the allowed methods of authentication (push notification, one-time password, or QR code).

There are two parts to the Logon app:
n The application you install on a computer or server (AuthPoint Agent)
n The resource you configure in AuthPoint

The Logon app adds MFA to Windows and Mac computers.

The authentication flow with the AuthPoint Logon app.

To set up the Logon app, you must:
n Configure a Logon app resource in the AuthPoint management UI.
n Configure an authentication policy for the Logon app resource or add the Logon app resource to your existing
authentication policies.
n Download the installer and the configuration file for the Logon app (these must be saved in the same directory
unless you use the command line for installation and set the contents or path of the config file as a parameter).

When you configure the Logon app resource, you can enable the Access for Non-AuthPoint Users feature to allow
users who do not have an AuthPoint user account to log in to protected computers without MFA. You can choose to
allow all non-AuthPoint users to log in without MFA, or you can specify up to 50 specific non-AuthPoint users that can
log in without MFA.

Non-AuthPoint users can only log in without MFA if an AuthPoint user account with the same user name does not
exist.

To install the Logon app, you can run the installer manually or you can run the installer with the command line. You
can also use the command line option for deployment through Active Directory Group Policy Objects (GPO).

Identity Security Essentials Study Guide 54
 AuthPoint Resources

The Logon app does not automatically upgrade to the latest version. To upgrade the Logon
app, you must download and install the updated version of the agent for Windows or the
agent for macOS.

When you install the Logon app, the computer must have an Internet connection before the user logs on for the first
time. The Logon app must be connected to the Internet so it can communicate with AuthPoint to verify the
authentication policies. After the first successful authentication, the computer stores the most recent authentication
policies locally. The Logon app uses this local policy set when the user authenticates offline, and updates it when the
computer has an Internet connection.

Because push notifications require Internet access, we recommend that the authentication policy
for the Logon app includes the QR code or OTP authentication options so users can authenticate
when they are not connected to the Internet.

You can use one Logon app resource to create authentication policies for all of your groups. You do not need to
configure additional Logon app resources for each computer that you install the Logon app on, regardless of the OS.
If you have only one Logon app resource, you can use the same configuration file for each installation of the Logon
app.

Identity Security Essentials Study Guide 55
 AuthPoint Resources

Authenticate with the Logon App
The Logon app supports both local and domain user accounts. To authenticate and log on, all domain and local users
must have an active AuthPoint user account with an authentication policy for the Logon app. Users that do not have
an AuthPoint user account with an active token cannot authenticate and log on to a computer with the Logon app
installed unless you enable the option to allow specific non-AuthPoint users to log in without MFA.

A user must first log in with Windows or Mac credentials. If those credentials are valid, the user must select a second
authentication option.

AuthPoint Authentication Options

If the computer does not have an Internet connection, the user must select the One Time Password or QR Code
authentication option to authenticate offline.

If the user does not have access to their mobile device, the user can select Forgot Token to start a process for the
administrator to temporarily disable MFA for that user account for a specific amount of time.

For the Logon app, the IP address used for network location policy objects can vary. For a local authentication, when
a user logs on to a computer with the Logon app installed AuthPoint identifies the authentication based on the user's
public IP address. When a user uses RDP to connect to a computer with the Logon app installed, AuthPoint identifies
the authentication based on the private IP address of the source computer that the user connects from.

With Microsoft Remote Desktop Services (RDS), there are multiple ways that users can
reach a computer through RDS. The method that is used determines whether AuthPoint
identifies the authentication based on the public or private IP address.

Identity Security Essentials Study Guide 56
 AuthPoint Resources

RD Web Resource
RD Web (Remote Desktop Web Access) is a portal that enables users to download applications to run software
remotely through the RD Gateway. The AuthPoint agent for RD Web adds the protection of multi-factor authentication
to RD Web. When a user types their user name and password on the RD Web page, the agent directs the request to
AuthPoint. The single sign-on page loads with available authentication options based on the authentication policy for
the AuthPoint group(s) the user belongs to.

Diagram of authentication flow for RD Web with AuthPoint

When you configure an RD Web resource in the AuthPoint management UI, you must select an AuthPoint identity
provider certificate to use for SAML authentication. This is for SAML applications that support RD Web.

RD Web Authentication
The AuthPoint RD Web resource enables MFA for user authentication to the RD Web Access portal.

From the RD Web access portal, users download applications for remote access to computers and applications.
Users can run those applications without a connection to the RD Web access portal. When a user runs a downloaded
RD Web application, the user does not connect to the RD Web portal again, and MFA is not required.

To require MFA when users connect to a remote desktop through an RD Web application, install
the AuthPoint Agent on the remote computer that the RD Web application connects to.

Identity Security Essentials Study Guide 57
 AuthPoint Gateway
The AuthPoint Gateway is a lightweight software application that you install on your network so that AuthPoint can
communicate with your RADIUS clients, the AuthPoint agent for ADFS, and your Active Directory or LDAP database.
The Gateway operates as a RADIUS server for RADIUS authentication, and can also import LDAP users and validate
their passwords.

Diagram of communications through the AuthPoint Gateway

The Gateway provides a secure link between the AuthPoint service in the cloud and the local authentication services
and clients on your network. The Gateway makes a secure connection to AuthPoint for user synchronization and
authentication requests.

Install a Gateway on a computer on your network for integration with:

RADIUS

The Gateway is a RADIUS server that can accept authentication requests from RADIUS clients.

LDAP

The Gateway imports users from the domain controller. The Gateway also validates user credentials each
time an LDAP user logs in to an AuthPoint resource that requires a password.

ADFS

The Gateway communicates with an installed AuthPoint ADFS agent to enable MFA for an existing
ADFS deployment.

Each Gateway can communicate with RADIUS, LDAP, and ADFS resources. You can also configure multiple
Gateways for the same resources for high availability.

Identity Security Essentials Study Guide 58
 Configure an AuthPoint Gateway
From the Gateway page in the AuthPoint management UI, you can add a Gateway. When you configure a Gateway,
you select RADIUS resources, ADFS resources, and LDAP external entities you want the gateway to communicate
with.

The Add Gateway page where you add resources.

You cannot select the same LDAP external identity in more than one AuthPoint Gateway.

In the Gateway configuration you can specify the RADIUS port. The default port used by the Gateway (RADIUS
server) to communicate with the RADIUS clients is port 1812. If you already have a RADIUS server installed that uses
port 1812 (or 1645), you must use a different port for the AuthPoint Gateway.

Identity Security Essentials Study Guide 59
 After you add the Gateway, copy the registration key, which you need to install the Gateway.

The Gateway registration key is a one-time use key. If your Gateway installation fails, you
must generate a new registration key before you try to install the Gateway again.

Install the Gateway Software
Before you install the AuthPoint Gateway, make sure that:
n The computer you will install the Gateway on has Internet access.
n The computer you will install the Gateway on can communicate with your RADIUS clients and Active Directory
or LDAP database.
n You have the registration key for your Gateway.

When you install the AuthPoint Gateway, you must provide the Gateway registration key. The key is used to register
the Gateway and enables WatchGuard Cloud (AuthPoint) to identify and communicate with the installed Gateway.
The installer connects to your AuthPoint account and downloads the Gateway configuration.

For the Gateway to work, you might have to create a new inbound firewall rule for the UDP
RADIUS port that you configured or disable the Windows firewall.

The Gateway runs as four services. The Gateway service handles connections to your AuthPoint account in the cloud
and sends configuration settings to the other three services, which handle RADIUS, ADFS, and
LDAP communication on the local network.

Monitor Gateway Status
On the Gateway page, you can see the s