Summary

This is a WatchGuard training study guide for identity security essentials, revised in October 2023. It covers topics such as AuthPoint, authentication policies, and corporate credentials.

Full Transcript

WatchGuard Training Identity Security Essentials Study Guide WatchGuard AuthPoint Revision Date: October 2023 About This Document Information in this document is subject to change withou...

WatchGuard Training Identity Security Essentials Study Guide WatchGuard AuthPoint Revision Date: October 2023 About This Document Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. In September 2023, the name of the Multi-Factor Authentication Essentials exam and courseware was changed to Identity Security Essentials. Guide revised: 13 October 2023 Copyright, Trademark, and Patent Information Copyright © 2023 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners. About WatchGuard Address 505 Fifth Avenue South WatchGuard® Technologies, Inc. is a global leader in network Suite 500 security, providing best-in-class Unified Threat Management, Next Seattle, WA 98104 Generation Firewall, secure Wi-Fi, and network intelligence products and services to more than 75,000 customers worldwide. The company’s mission is to make enterprise-grade security accessible to companies of all types and sizes through simplicity, making Support WatchGuard an ideal solution for Distributed Enterprises and SMBs. WatchGuard is headquartered in Seattle, Washington, with offices www.watchguard.com/support throughout North America, Europe, Asia Pacific, and Latin America. U.S. and Canada +877.232.3531 To learn more, visit WatchGuard.com. All Other Countries +1.206.521.3575 For additional information, promotions and updates, follow WatchGuard on Twitter, @WatchGuard on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for Sales real-time information about the latest threats and how to cope with U.S. and Canada +1.800.734.9905 them at www.secplicity.org. All Other Countries +1.206.613.0895 Identity Security Essentials Study Guide 2 Contents How to Use This Study Guide 5 AuthPoint Basics 6 Introduction to AuthPoint 7 About Authentication 14 AuthPoint Users and Tokens 16 About Tokens 17 AuthPoint Mobile App 18 Hardware Tokens 23 AuthPoint Groups and Users 25 AuthPoint Authentication 35 Authentication Policies 36 Policy Objects 39 Password Management 45 Corporate Credentials 49 Monitor Your Domains for Data Breaches 50 AuthPoint Resources 51 IdP Portal Resource 52 Logon App Resources 54 RD Web Resource 57 AuthPoint Gateway 58 RADIUS Client Resources 63 Firebox Resources 70 SAML Resources 72 ADFS Resource 77 RESTful API Client Resource 78 Troubleshooting 79 Additional Resources 84 About the Identity Security Essentials Exam 87 Exam Description 88 Identity Security Essentials Study Guide 3 Sample Exam Questions 91 Identity Security Essentials Study Guide 4 How to Use This Study Guide How to Use This Study Guide This guide is a resource to help you study for the Identity Security Essentials certification exam. Use this guide in conjunction with instructor-led training, online video training and demos, and the WatchGuard Help Center documentation to prepare to take the exam. For a list of recommended documentation and video resources to help you prepare for the exam, see Additional Resources. For information about the exam content and format, see About the Identity Security Essentials Exam. Document Conventions This document uses these formatting conventions to highlight specific types of information: This is a key point. It highlights or summarizes the key information in a section. This is a note. It highlights important or useful information. This is a best practice. It describes the recommended configuration for an AuthPoint feature. USE CASE: This is a use case. It describes how you could configure AuthPoint in a real-world scenario. This is a caution. Read carefully. There is a risk that you could lose data, compromise system integrity, or impact device performance if you do not follow instructions or recommendations. Identity Security Essentials Study Guide 5 AuthPoint Basics AuthPoint Basics The content in this section covers basic multi-factor authentication concepts that are not unique to AuthPoint, and introduces the various AuthPoint components. In this section, you learn about: n Multi-factor authentication n Authentication and authorization n Authentication methods n AuthPoint components n AuthPoint management UI Identity Security Essentials Study Guide 6 Introduction to AuthPoint Multi-factor authentication (MFA) is an authentication method that requires any combination of something you know (such as a password), something you have (such as a mobile phone), and something you are (such as a fingerprint). AuthPoint is WatchGuard's multi-factor authentication service, and includes these products: n AuthPoint Multi-Factor Authentication n AuthPoint Total Identity Security With AuthPoint, you can require users to authenticate with a mobile app or third-party hardware token when they log in to a protected resource, such as a computer, VPN, cloud service, or application. A token is something, such as a digital signature or fingerprint, that identifies a user and associates the user with a device. It is used in addition to, or in place of, a password when the user logs in to a protected resource. The user activates a token on a device that is used for authentication, such as a mobile phone. This device is then used to gain access to protected resources that require multi-factor authentication. Authentication and Authorization Authentication gives administrators a way to identify the users that access resources. To authenticate, you must provide something that proves your identity, such as a password. Authorization is how administrators define which users are allowed access to protected resources. In AuthPoint, groups and authentication policies control authorization. This guide assumes that you have some familiarity with the RADIUS, LDAP, and SAML authentication protocols. For an overview of how these protocols work, see the Authentication Basics section at the start of the Identity Security Essentials video course. The Identity Security Essentials video course is available in the Learning Center. Identity Security Essentials Study Guide 7 MFA Authentication Methods Users install the AuthPoint mobile app on their phone. Then, when they log in to any protected online service or VPN, they must authenticate with one of these methods: n Push Notification — When a user logs in, AuthPoint sends a push notification to the user's mobile device. The user approves the push notification to authenticate, or denies it to prevent an unauthorized access attempt. n QR Code — When a user logs in, a QR code appears. The AuthPoint app uses the phone camera to scan the QR code and displays a verification code, which the user must type to authenticate. AuthPoint uses secure QR codes that only the AuthPoint mobile app can decrypt. n One-Time Password (OTP) — When a user logs in, the user must provide a unique, temporary password generated by the AuthPoint app to authenticate. AuthPoint uses the latest MFA methods to protect your trusted resources from unauthorized access. You can choose different authentication methods for specific user groups and applications. AuthPoint Components AuthPoint has several components: AuthPoint Management UI The AuthPoint management UI in WatchGuard Cloud is where you set up and manage users, user groups, resources, authentication policies, policy objects, corporate applications, external identities, and the AuthPoint Gateway. Resources are the applications that you define for use with AuthPoint. Authentication policies specify which resources AuthPoint users can authenticate to and which authentication methods they can use. External identities connect to user databases to get user account information and validate passwords. The AuthPoint management UI also provides reports and audit logs to help you monitor authentication activity and troubleshoot any issues. You configure Dark Web Monitoring from the Administration menu in WatchGuard Cloud. AuthPoint Mobile App The AuthPoint mobile app is required for authentication. Before you can authenticate with AuthPoint, you must install the AuthPoint mobile app on your mobile device and activate your WatchGuard token. You can use the AuthPoint mobile app to view and manage your tokens, approve push notifications, get OTPs, scan QR codes, and view and manage your saved credentials. You can also enable Token Security to protect your tokens with a PIN or biometric ID. Before you can use your protected tokens for authentication with any method, you must unlock them with a PIN or your biometric ID. The AuthPoint mobile app is not required for OTP authentication with a hardware token. For more information, see Hardware Tokens. Identity Security Essentials Study Guide 8 AuthPoint Browser Extensions The AuthPoint browser extensions are used for password management. You can use the AuthPoint browser extensions to save and manage your credentials in a personal password vault. AuthPoint Gateway The AuthPoint Gateway is a lightweight software application that you install on your network so that AuthPoint can securely communicate with your RADIUS clients and LDAP databases. The Gateway operates as a RADIUS server for RADIUS authentication, and is also used to import LDAP users and validate their passwords. The AuthPoint Gateway installer is available on the Downloads page in the AuthPoint management UI. Logon App The Logon app is used to require authentication when users log on to a computer or server. This includes protection for RDP and RD Gateway. The Logon app is also referred to as the AuthPoint Agent for Windows or Mac. There are two parts to the Logon app: the application you install on a computer or server and the resource you configure in AuthPoint. The Logon app installers are available on the Downloads page in the AuthPoint management UI. AuthPoint Agent for ADFS Microsoft Active Directory Federation Services (ADFS) is a Windows Server component that provides users with authenticated access to applications. With the AuthPoint ADFS agent, you can add MFA to ADFS for additional security. There are three parts to the AuthPoint agent for ADFS: the agent you install, the Gateway, and the resource you configure in AuthPoint. The ADFS agent installer is available on the Downloads page in the AuthPoint management UI. AuthPoint Agent for RD Web Microsoft Remote Desktop Web Access (RD Web) is a web page that shows a list of applications published from a server. From the web page, authenticated users can launch each application. The AuthPoint agent for RD Web adds MFA authentication to RD Web Access. There are two parts to the AuthPoint agent for RD Web: the agent you install and the resource you configure in AuthPoint. The RD Web agent installer is available on the Downloads page in the AuthPoint management UI. Identity Security Essentials Study Guide 9 About AuthPoint Resources In AuthPoint, resources are the applications and services that your users connect to that are protected by AuthPoint multi-factor authentication (MFA). AuthPoint supports these resource types: n IdP Portal — A portal page that shows users the SAML resources available to an authenticated user. n Logon App — The Logon app resource is used to configure and define authentication policies for the Logon app. n RD Web — The RD Web resource is used to add MFA to Remote Desktop Web Access (RD Web). n Firebox — The Firebox resource is used to enable AuthPoint as an authentication server on a Firebox that has been added to WatchGuard Cloud as a locally-managed Firebox. n RADIUS Client — An application or service that uses RADIUS authentication (primarily firewalls and VPNs). n SAML — An application or service that uses SAML authentication, such as Microsoft 365, Salesforce, or the Firebox Access Portal. n ADFS — The ADFS resource is used to add MFA to ADFS authentication. n RESTful API Client — The RESTful API Client resource is used to configure and define authentication policies for a RESTful API client. To configure MFA for a resource, add the resource in AuthPoint, then configure an authentication policy for the resource or add the resource to your existing authentication policies. Authentication policies specify which resources require authentication and which authentication method to use (Push, QR code, OTP) when users connect to each resource. AuthPoint Licenses AuthPoint is a subscription identity security service. To use AuthPoint, you must activate an AuthPoint Multi-Factor Authentication or Total Identity Security license in your WatchGuard account. The AuthPoint license determines the number of users you can configure to use AuthPoint for MFA. When you activate your AuthPoint license key, the user licenses are added to your WatchGuard Cloud account. If you are a WatchGuard Cloud Service Provider, you can allocate AuthPoint user licenses to accounts you manage in WatchGuard Cloud. AuthPoint Management UI To set up and manage AuthPoint, you use the AuthPoint management UI in WatchGuard Cloud. To connect to WatchGuard Cloud, go to cloud.watchguard.com. Log in with your WatchGuard portal credentials. If you have a Service Provider account, you must select an account from Account Manager to configure AuthPoint for that account. Identity Security Essentials Study Guide 10 Configure AuthPoint To configure AuthPoint, select Configure > AuthPoint. The Summary page shows tiles with a summary of your AuthPoint configuration. To configure AuthPoint settings you can click a tile title or click a link in the navigation menu: n Authentication Policies — Configure authentication policies to specify which resources AuthPoint users can authenticate to and which authentication methods they can use (Push, QR code, and OTP). n Resources — Configure the applications and services that your users connect to. n Groups — Configure user groups. n Policy Objects — Configure the policy objects to define specific scenarios that authentication policies apply to. n Users — Manage AuthPoint users and tokens. You can add users directly in AuthPoint or import LDAP users from an external authentication server. n External Identities — Configure the information required for AuthPoint to connect to your Active Directory or LDAP databases to get user account information and validate passwords. n Gateway — Configure settings for the AuthPoint Gateway, a lightweight software application that you install on your network so that AuthPoint can communicate with your RADIUS clients, the AuthPoint agent for ADFS, and your Active Directory or LDAP database. n Tokens — Import hardware tokens and associate them with users. n User Inheritance — Send and manage user inheritance requests. Service Providers can request that managed accounts inherit an AuthPoint user from the Service Provider account. n Corporate Credentials — Configure Corporate Credentials to share a direct link to a specific website with specific user groups. Identity Security Essentials Study Guide 11 The items in the AuthPoint management menu are listed in the optimal order to configure them. We recommend you start at Resources, and work your way down through each item in the list until your configuration is complete. Then configure authentication policies. Monitor AuthPoint Use AuthPoint dashboards and reports to monitor AuthPoint activity and status. To monitor AuthPoint, select Monitor > AuthPoint. In the Monitor section of the AuthPoint management UI, you can see these dashboards and reports: n User Activity — A bar graph that shows how many times each active user has authenticated, the last time each inactive user authenticated, and how and when blocked users were blocked. n Authentication — A bar graph that shows successful and failed authentication attempts for each user. For each attempt, a list shows the authentication date, the token that was used, the authentication method, and the resource the user authenticated to. n Resource Activity — A bar graph of resources that shows successful and failed authentication attempts for each resource. For each attempt, a list shows which user authenticated, the authentication date, the token that was used, and the authentication method. n Denied Push Notifications — A bar graph that shows how many push notifications have been denied by users. n Activation Activity — Shows a list of user tokens that have not yet been activated. n Sync Activity — Shows information about the synchronization of your LDAP database, if you added an external identity. Audit logs and notifications, available under the Administration menu, provide additional information about AuthPoint events that can be useful for troubleshooting. Identity Security Essentials Study Guide 12 Custom Branding In WatchGuard Cloud, you can configure custom branding for AuthPoint. When you enable custom branding, you can customize the corporate branding of AuthPoint emails and the IdP portal for your account and any accounts that you manage. To configure custom branding, select Administration > Branding. You can customize these items for AuthPoint: n Logos and images in emails sent by AuthPoint n The reply-to email address for emails sent by AuthPoint n The logo and thumbnail on the Set Password and Token Activation web pages n The logo, thumbnail, and background image for the IdP portal Identity Security Essentials Study Guide 13 About Authentication With AuthPoint MFA, each user installs the AuthPoint app on a mobile device, and activates a token. The user can then use the app to authenticate with the Push, QR code, or one-time password (OTP) authentication methods. When a user tries to log in to a resource that requires authentication, the AuthPoint single sign-on (SSO) page appears. To log in, the user types their AuthPoint password (if required) and chooses an authentication method. The authentication methods available depend on the authentication policies that include the end user's groups. Some resources might require specific authentication methods, or allow only certain methods. When a user authenticates, the web browser creates a session and remembers the user. While the user session is active, the user does not need to authenticate again for SAML resources, RD Web resources, or the IdP portal, unless the resource requires a more secure authentication method. From most secure to least secure, the authentication methods are: 1. Push notification and QR code 2. One-time password 3. Password For example, if you use a password and an OTP to log in to the IdP portal, you can then log in without authentication to any resource that has OTP as an allowed authentication option or that requires only a password. The table below shows when an authenticated user must reauthenticate. User Previously Authentication Policy Authenticated With for Resource Authentication Action Password Password Log in without authentication Password Password + OTP, QR User must authenticate with OTP, QR code, or Push code, or Push (no password required) OTP Password or OTP Log in without authentication OTP Password + QR code or User must authenticate again with QR code or Push Push (no password required) OTP OTP, QR code, or Push Log in without authentication QR code or Push Any Log in without authentication Identity Security Essentials Study Guide 14 Authentication Methods Push Authentication For push authentication, AuthPoint sends a push notification to your phone. You can either tap Approve to authenticate and get access to your applications, or tap Deny to prevent an access attempt that was not made by you. If your token is protected by Token Security, the AuthPoint app opens and prompts you to unlock your token with a biometric ID or a PIN when you try to approve a push notification. After you validate, you can approve or deny the push notification. When you deny a push notification, you can choose to disable AuthPoint push notifications temporarily. You might do this to protect yourself from push bombing or phishing attacks when you receive many spam push notifications. Attackers send spam push notifications to get users to mistakenly approve an MFA authentication request. When you disable push notifications, you can still authenticate with one-time passwords and QR codes. QR Code A QR code is a square barcode that your phone can scan to read stored data. AuthPoint uses secure QR codes to provide you with a verification code for authentication. Only the built-in AuthPoint app QR code reader can decrypt AuthPoint QR codes. RADIUS client resources cannot use the QR code authentication option. One-Time Password An OTP is a unique, temporary password that is only valid for a short time. OTPs are used in addition to your normal password for authentication. On the Token Management page of the AuthPoint app, you can see the OTP for each token and how long the OTP is valid. The OTP for protected tokens is hidden until you unlock your tokens. Identity Security Essentials Study Guide 15 AuthPoint Users and Tokens AuthPoint Users and Tokens The content in this section covers how to manage your users and groups in AuthPoint. In this section, you learn about: n Software and harware tokens n AuthPoint mobile app n AuthPoint users and groups n How to sync external users to AuthPoint n How to block users and tokens Identity Security Essentials Study Guide 16 AuthPoint Users and Tokens About Tokens A token is something that contains information used to prove identity, like a digital signature or fingerprint. You activate or install a token on a device used for authentication (known as an authenticator). You can then use this device to gain access to protected resources that require MFA. To confirm your identity when you authenticate, you must prove that you have possession of the authenticator, or token, assigned to you. AuthPoint supports two types of tokens: Software Tokens A software token is a token that you activate and install with the AuthPoint app on your mobile device. When you create a user in AuthPoint, a software token is automatically created for them. The user receives an email with instructions to download the AuthPoint mobile app and activate the token on a single mobile device. If a user has more than one device, the user must activate a separate token for each device. Hardware Tokens A hardware token is a physical device with a built-in token. You can use third-party hardware tokens with AuthPoint multi-factor authentication. To assign hardware tokens to users, you must buy supported hardware tokens from a vendor and import the tokens to AuthPoint. For more information, see Hardware Tokens. Each AuthPoint user can have up to 20 software tokens and any number of hardware tokens. Before a user can authenticate with AuthPoint, they must have at least one active hardware or software token. Identity Security Essentials Study Guide 17 AuthPoint Mobile App The AuthPoint mobile app supports the Push, QR code, and OTP authentication methods. For OTP authentication, you can use a hardware token instead of the AuthPoint mobile app. For information about hardware tokens, see Hardware Tokens. To get started, users must install the AuthPoint mobile app on a mobile device and activate an AuthPoint token. From the AuthPoint mobile app users can: n Authenticate with MFA: o Approve a push notification o Check for pending push notifications o Get a one-time password (OTP) o Scan a QR code o Migrate tokens to a new device n View and manage tokens: o Activate a token o See token details o Resynchronize a token o Protect a token with a PIN or biometric ID n View and manage saved credentials in the password vault The AuthPoint mobile app can contain multiple AuthPoint tokens, and also supports third-party tokens. If a user has more than one mobile device, the user must activate a unique token for each device. Identity Security Essentials Study Guide 18 Token Activation To activate a token, users must download and install the WatchGuard AuthPoint mobile app on a mobile device. There are two ways for users to activate a token on their mobile device: n Click the link in the token activation email they receive when their AuthPoint user account is created. n Navigate to the IdP portal and click the Activate Token link on the authentication page. Use Case: Users might choose to activate their token from the authentication page if they do not receive the Activation email or if MFA is required for their email account. The link in the activation email opens a web page with instructions to activate the token. The token activation web page The link on the authentication page opens a window with a QR code that you scan to activate the token. The Activate Token link on the authentication web page. Identity Security Essentials Study Guide 19 After users activate their token, they are prompted to set the name and display image for the token. This is optional, but it makes each token easier to identify if you activate more than one token. The activated token appears in the AuthPoint mobile app. By default, the token name contains the last five digits of the token serial number. An active token in the AuthPoint mobile app The six-digit number below the token name is the one-time password (OTP). The red bar below the OTP indicates the amount of time the OTP is valid. Authentication with the AuthPoint Mobile App When AuthPoint users log in to a computer or resource that requires MFA, they type a password, and then use the AuthPoint mobile app to complete a second authentication method. Users can use the mobile app to authenticate with these methods: Push With the Push authentication method, a push notification appears in the AuthPoint app. To authenticate, in the AuthPoint app, tap Approve. QR Code With the QR Code authentication method, a QR code appears on the login page. To authenticate, in the AuthPoint app, tap and scan the QR code from the screen. One-Time Password (OTP) With the OTP authentication method, the user must type a one-time password. In the AuthPoint app, the OTP is the six-digit code that appears below the token. To authenticate, type the current token OTP on the login page. Identity Security Essentials Study Guide 20 For RADIUS authentication, append the OTP to the end of your password. Do not add a space. Authentication without the AuthPoint Mobile App If users forget their mobile device at home, or do not have access to it for some other reason, you can use the Forgot Token feature to allow the user to log in without their mobile device for a specific amount of time. The Forgot Token feature disables multi-factor authentication for a specific user for a specific amount of time. For the amount of time you specify, the user is not required to authenticate with their mobile device to log in. When they log in, they are only required to type their user name and password. If a user does not have access to their phone because it has been lost or stolen, we recommend that you block their token(s). Here is an overview of the process to enable the Forgot Token feature for a user: 1. A user forgets or misplaces the mobile device they use for authentication. They must contact their AuthPoint administrator. 2. The user provides the AuthPoint administrator with the Activation Code value shown in the Forgot Token window. 3. The AuthPoint administrator provides the user with a Period value and a Verification Code. 4. The user types their password and validates the Period and Verification Code. Once validated, the user can log in with their password. Token Management In the menu for each token, the user can select these options: n Edit Token — Edits the token image and name. n Show Token Details — Shows the token serial number and other token information. This can be useful information for troubleshooting. n Sync Token — Synchronizes the token time stamp with the AuthPoint cloud server. n Migrate Token — Removes the token from this device and sends an activation email so that you can activate the token on another device. n Delete Token — Removes the token from the AuthPoint mobile app. Identity Security Essentials Study Guide 21 Users can open the menu and select Migrate All Tokens to migrate all of their tokens at once. For each token, users receive an activation email they can use to activate that token on a new device. Token Security We recommend users enable token security for additional protection in case another person gets access to the mobile device. Users must enable token security to log in to their password vault in the AuthPoint mobile app. Users can enable token security from the menu in the AuthPoint mobile app. The token security options are: PIN Protection PIN protection is the primary token security method. You create one PIN and select which tokens to protect with that PIN. When you enable PIN protection, you must type your PIN before you can authenticate with the protected tokens. Biometric Protection Biometric protection is another method to unlock tokens that have PIN protection enabled. When you enable biometric protection, you can use a biometric identifier, such as a fingerprint or your face, to unlock any protected token without the PIN. If token security is enabled for one or more tokens, you must validate your PIN or use a biometric ID (if enabled) to unlock a token for authentication or make any changes to the token security settings. Third-Party Tokens The AuthPoint mobile app also supports third-party software tokens, such as tokens compatible with Google Authenticator, for authentication to personal services and applications. When you set up two-factor or multi-factor authentication with a third-party service, use the AuthPoint QR code reader to activate a software token in the AuthPoint mobile app. If the third-party service does not provide a QR code, you can select Manually Activate Token in the AuthPoint mobile app, and then type the token key. Third-party software tokens that you activate in the AuthPoint app are separate from your WatchGuard tokens. You can still use your third-party tokens for authentication even if your AuthPoint user account is blocked. Identity Security Essentials Study Guide 22 Hardware Tokens In addition to software tokens, AuthPoint supports hardware tokens for authentication with an OTP. A hardware token is a physical device with a built-in token. To use third-party hardware tokens with AuthPoint multi-factor authentication, you must: n Buy supported hardware tokens from a vendor. n Import hardware tokens to AuthPoint. n Assign hardware tokens to users. n Activate hardware tokens. Each AuthPoint user can have up to 20 software tokens and any number of hardware tokens. Third-party hardware token requirements: n Response Format — Six-digit time-based OTP that includes only numbers with a 30 or 60 second time interval n Algorithm — OATH time-based OTP (RFC 6238) n Seed Delivery — OATH PSKC file (RFC 6030) Manage Hardware Tokens When you import third-party hardware tokens into AuthPoint, you must upload the seed file and provide a key. n Seed File — The seed file is a Portable Symmetric Key Container (PSKC) file that is used to import hardware token information into AuthPoint. This file contains device information for each hardware token. The supported file types for a seed file are.XML,.PSKC,.TXT, and.VIP. n Key — The key is used to decrypt the seed file so AuthPoint can validate the one-time passwords (OTPs) that the hardware tokens generate. The key can be a string of characters that you type in AuthPoint or a file that you upload. The supported file types for a key file are.TXT and.BIN. You receive the seed file and key from your hardware token vendor. WatchGuard hardware tokens are automatically associated with your account, so you do not need a seed file. After you import hardware tokens, you must assign each token to an AuthPoint user, and then activate the token. Identity Security Essentials Study Guide 23 Authenticate with a Hardware Token You can use hardware tokens to authenticate with an OTP. You authenticate with hardware tokens the same way you authenticate with the software tokens on your mobile device. When you log in to a resource that requires authentication, select the option to authenticate with OTP and type the OTP shown on your hardware token. Identity Security Essentials Study Guide 24 AuthPoint Groups and Users AuthPoint groups define the authentication requirements for user access to AuthPoint resources. In the AuthPoint management UI, use these pages to manage groups and users: Groups page — Manage AuthPoint groups Add local AuthPoint user groups and see the external groups you have imported from Active Directory and Azure Active Directory. In AuthPoint, groups define which resources your users have access to. Users page — Manage AuthPoint users and tokens Add and edit local AuthPoint users, and see imported users. Manage tokens for all AuthPoint users. External Identities page — Synchronize users and groups from an external database Import users from Azure Active Directory, Active Directory, or an LDAP database, and assign those users to an AuthPoint group. You must add at least one AuthPoint group before you add or import users. Users can belong to any number of groups in AuthPoint. Identity Security Essentials Study Guide 25 Groups In AuthPoint, groups define which resources your users have access to and which Corporate Credentials are shared with them. You add users to groups in AuthPoint, then you add the groups to the authentication policies that specify which resources users can authenticate to. You can create local groups in AuthPoint and you can import external groups from Active Directory and Azure Active Directory when you configure a group sync for an external identity. When you add a group in AuthPoint, you specify these settings: n Group name n Description Users For a user to use AuthPoint, you must create an AuthPoint user in your account and select the group the user belongs to. Each AuthPoint user account requires one AuthPoint user license. When you add a user, the user is assigned a token. The user receives an email with instructions to activate the token in the AuthPoint app. Each user must be a member of an AuthPoint group. For this reason, you must add at least one group before you can add users to AuthPoint. There are two ways to add AuthPoint user accounts: n Add local AuthPoint users manually n Synchronize users from an external user database Identity Security Essentials Study Guide 26 When you add or sync user accounts, you choose whether to have AuthPoint create mobile tokens for the new user accounts and send email messages to the users to activate their mobile tokens. AuthPoint does this by default. In most cases, we recommend that you assign a token to users and send them the Token Activation email. User accounts need a token to authenticate with AuthPoint. You might choose not to do this for users that use hardware tokens for authentication, or for service accounts that bypass MFA with basic authentication. Add Local AuthPoint Users Manually You can add local AuthPoint users on the Users page in the AuthPoint management UI. Because you can create only one user at a time, you most commonly add users manually when you want to create test users or need to add only a small number of users. Unlike users synchronized from an external Active Directory or an LDAP database, users that you create manually in AuthPoint define and manage their own AuthPoint password. When you manually create a user account, AuthPoint sends the end user two emails: n An email to set their AuthPoint password n An email to activate their AuthPoint token From the Users page, you can also resend these emails, if needed. Sync Users from an External User Database You can synchronize users from an Active Directory or a Lightweight Directory Access Protocol (LDAP) database. This is a quick way to add users already defined on your network. AuthPoint integrates with your domain controller to keep the user accounts in sync. Diagram of LDAP user import, and authentication workflow. Identity Security Essentials Study Guide 27 To configure AuthPoint to synchronize users from an Active Directory, Azure Active Directory, or LDAP database, you must add an external identity and create one or more queries: External identity An external identity specifies settings required for AuthPoint to connect to an external user database. There are two types of external identities: n LDAP — The Lightweight Directory Access Protocol (LDAP) external identity type syncs users from Active Directory or an LDAP database. For AuthPoint to connect to an LDAP external identity, you must link the external identity to an AuthPoint Gateway. n Azure AD — The Azure AD external identity type syncs users from Azure AD. This type of external identity does not require the AuthPoint Gateway. Queries For each external identity, queries specify which users to sync. AuthPoint uses the queries to request user information from the external user database and create AuthPoint users for the users that match the query. For each LDAP query, you specify which AuthPoint group you want the users to be a member of. AuthPoint does not store user passwords for synchronized users. When a synchronized user authenticates, AuthPoint sends the LDAP credentials to the domain controller for validation. After the domain controller validates the credentials, AuthPoint handles any other authentication options specified in the access policy for the user group. To synchronize users from Active Directory or an LDAP database, you must link the LDAP external identity to an AuthPoint Gateway. You must install the AuthPoint Gateway on your corporate network in a location that has Internet access and that can connect to your LDAP server. The AuthPoint Gateway connects to a domain controller to import users from an Active Directory or LDAP database. The AuthPoint Gateway is also required to validate user credentials when users authenticate. For more information about Gateway configuration, see AuthPoint Gateway. Azure Active Directory does not require the AuthPoint Gateway. Identity Security Essentials Study Guide 28 For each external identity you can add queries, check the connection, or start a manual synchronization. Before you can sync Active Directory or LDAP users, you must link the LDAP external identity to an AuthPoint Gateway. You must install the AuthPoint Gateway on your corporate network in a location that has Internet access and that can connect to your LDAP server. There are two query types: n Group Sync — Select the LDAP groups you want to sync users from. AuthPoint creates the query for you based on the group you choose. This is the simpler option, and is recommended. n Advanced Query — Create your own LDAP queries to specify which groups or users to sync. Identity Security Essentials Study Guide 29 When you configure a group sync to sync users from Active Directory or Azure Active Directory, you can enable the Create new synchronized groups option to create new groups in AuthPoint based on the Active Directory or Azure Active Directory groups that you sync users from. If you enable this option, users sync to the new groups based on group membership in the LDAP database, in addition to the selected AuthPoint group. This option is only available for Active Directory and Azure Active Directory. You can add multiple queries. To add a query or to see the list of configured queries, select the query type. Before you sync users, make sure that each user in your external user database has a valid email address. Users must have an email address so that AuthPoint can send a token activation email. LDAP users without a user name, first name, or email address are not included in the synchronization. Identity Security Essentials Study Guide 30 After you add a query to find your users, AuthPoint syncs with your Active Directory, Azure Active Directory, or LDAP database at the next synchronization interval and creates an AuthPoint user account for each user identified by the query. From the External Identities page, you can also manually start a synchronization. On the Users page, you can identify users synced from an external identity by the label in the Type column.. If you enabled the option to synchronize external groups to AuthPoint, the synced groups are created in AuthPoint. Users sync to the new groups based on group membership in the LDAP database, in addition to the selected AuthPoint group. The newly created groups appear on the Groups page. On the Groups page, you can identify synced groups by the label in the Type column. You manage the external groups in your external user database. If you change name of a synced group in Active Directory or Azure Active Directory, the synced group in AuthPoint will be updated to match. You cannot edit the synced groups in AuthPoint. You can only delete them. Identity Security Essentials Study Guide 31 Monitor User and Token Status On the Users page you can see your AuthPoint users and the details for each user account. The User Name column shows the status of the user account: User Status Definition Activated The user account is activated and can authenticate with any active tokens. Quarantined The LDAP synced user account cannot authenticate because the LDAP user was moved or deleted, the external identity was deleted, or other domain information was changed. Quarantined users cannot log in to their password vault. Blocked The user cannot authenticate to any AuthPoint protected resources and cannot log in to their password vault. The user can still use third-party tokens, such as Google Authenticator, to authenticate to third-party resources that are not protected by AuthPoint. The Token column shows the status of the user's tokens: Token Status Definition Pending The user has not activated the token. Activated The user has activated the token and can use it for authentication. Blocked The token is blocked and the user cannot authenticate with that token. The user can still use other active WatchGuard tokens, if they have any, to authenticate. Identity Security Essentials Study Guide 32 Block Users and Tokens A user must have an active token to authenticate or log in to their password vault. Each active token is associated with a specific device. On the Users page, you can manage your AuthPoint users and the tokens assigned to them. There are two ways to prevent authentication: Block a User Block a user to prevent authentication with any of the user's WatchGuard tokens on any mobile device. A blocked user cannot cannot log in to their password vault. A blocked user can still use their third-party tokens, such as Google Authenticator, to authenticate with third-party resources. USE CASE: A user leaves your organization or their user account has been compromised in some way. To block authentication with any WatchGuard token for that user, you can block the user. Block a Token Block a token to prevent user authentication with a specific token. While a token is blocked, the user can still authenticate with other active tokens. A user must have at least one active token in the AuthPoint mobile app to log in to their password vault on that device. USE CASE: A user loses their phone. To block authentication from that device, you can block the token activated for that device. If the user has an active token on another device, the user can still authenticate with the other active token. If the user finds their phone, you can activate the token so the user can use it again from that device. Identity Security Essentials Study Guide 33 Quarantined Users If you move or delete a user account in your LDAP database, the linked AuthPoint user account is marked Quarantined. In the Users list, Quarantined user accounts display a yellow icon next to their user name. AuthPoint quarantines user accounts if the External Identity was deleted or other domain information changed. Users with quarantined user accounts cannot authenticate until you restore or move them back to the original location in the LDAP database. If you moved or deleted the user account intentionally, the quarantined account remains in AuthPoint until you delete it in AuthPoint. To delete an LDAP user in AuthPoint, the best practice is to enable the Quarantined Users Cleanup feature on the Settings page. This feature automatically deletes LDAP synced users with the Quarantined status. Identity Security Essentials Study Guide 34 AuthPoint Authentication AuthPoint Authentication The content in this section covers AuthPoint authentication. You will learn about authentication policies and policy objects, as well as information about the AuthPoint password manager and supporting features such as corporate credentials. In this section, you learn about: n AuthPoint authentication policies n AuthPoint policy objects n Policy precedence n Password management n Corporate credentials n Dark Web Monitor Identity Security Essentials Study Guide 35 AuthPoint Authentication Authentication Policies Authentication policies specify which resources AuthPoint users can authenticate to and which authentication methods they can use (Push, QR code, and OTP). A user who is not a member of a group that has an authentication policy for a specific resource cannot authenticate to log in to that resource. Authentication policies must apply to at least one group. For this reason, you must add at least one AuthPoint group before you can create authentication policies. When you configure an authentication policy, you specify: n Whether the policy allows or denies authentications. n Which authentication methods are required. n Which resources the policy applies to. n Which user groups the policy applies to. n Which policy objects apply to the authentications. Identity Security Essentials Study Guide 36 AuthPoint Authentication In each authentication policy, you specify whether the policy allows or denies authentications. If you require MFA for the policy, you choose whether to require a password, and select allowed authentication options. Authentication options for an authentication policy. If you select more than one authentication option for a resource, users must choose one of the available options when they authenticate to that resource. For example, if you select OTP and Push, users can either type their OTP or approve a push to authenticate, but you cannot require that they do both. For RADIUS authentication, if you enable the push and OTP authentication methods for a policy, RADIUS resources associated with that policy use push notifications to authenticate users. RADIUS resources do not support QR code authentication. RADIUS client resources that use MS-CHAPv2 only support the Push authentication method. Policy Precedence Precedence is how AuthPoint determines which authentication policy to use when multiple policies could apply to a user authentication. When two policies conflict, the order of your authentication policies determines which policy applies. To determine whether a user can access a resource and how they authenticate, AuthPoint uses the highest policy in the list that matches the conditions of the authentication. The conditions of the authentication include: n The resource the user authenticates to. n The AuthPoint groups the user is a member of. n The user's IP address (for network locations). Identity Security Essentials Study Guide 37 AuthPoint Authentication n The time of the authentication (for time schedules). n The location of the user (for geofence and geokinetics). When you add a policy object to an authentication policy, the policy only applies to user authentications that match the conditions of the authentication and the policy objects. For example, policies with network locations only apply to user authentications that originate from that network location. If the authentication request does not contain the origin IP address, the policy does not apply. In the example above, if a user is a member of both the Support group and the Sales group, the policies for their groups conflict. n The Support policy requires a password and an OTP to log in to Salesforce. n The General policy requires a password and a push to log in to Salesforce. In this example, when a user who is a member of both the Support group and the Sales group logs in to Salesforce, the Support policy applies because it is the highest policy that matches the conditions of the authentication. To change the order of policies in the list, you can: n Drag a policy to move it. n Type a number in the Order column. Identity Security Essentials Study Guide 38 AuthPoint Authentication Policy Objects Policy objects are the individually configurable components of a policy, such as network locations, that enable you to define specific scenarios that authentication policies apply to. You configure policy objects and then add them to authentication policies. You can configure these types of policy objects: n Network locations n Time schedules n Geofences n Geokinetics When you add a policy object to an authentication policy, the policy only applies to user authentications that match the conditions of the authentication and the policy objects. For example, if you add a specific network location to a policy, the policy only applies to user authentications that come from that network location. We recommend that you create a second policy for the same groups and resources without the policy object. Users who only have a policy that includes a policy object do not get access to the resource when the conditions of the policy object do not apply to the authentication (because they do not have a policy that applies, not because authentication is denied). n Users who only have a policy that includes a network location do not get access to the resource when they authenticate outside of that network location. n Users who only have a policy that includes a time schedule do not get access when they authenticate outside the hours of that time schedule. n Users who only have a policy to allow access that includes a geofence do not get access to the resource when they authenticate outside of the specified countries. If you have two policies (one with a policy object and one without), assign a higher priority to the policy with the policy object. Geokinetics policy objects work differently than other policy objects because they apply after an authentication is complete. Geokinetics do not affect the conditions of an authentication, so when you add a geokinetics policy object to an authentication policy, you do not have to create a second policy without the geokinetics policy object. Network Location Policy Objects Network location policy objects enable you to configure a list of IP addresses. You can then configure specific authentication policies that only apply when users authenticate from these IP addresses. For example, you might create a network location for your organization's corporate office. Identity Security Essentials Study Guide 39 AuthPoint Authentication When you add a network location to an authentication policy, the policy only applies to user authentications that come from that network location. USE CASE: To allow users to log in without MFA when they are in the office, you create a network location for your organization's corporate office and add it to a new authentication policy that only requires password authentication. Users who only have a policy that includes a network location cannot get access to the resource when they authenticate outside of that network location (because they do not have a policy that applies, not because authentication is denied). Network locations require an Internet connection. For RADIUS authentication and basic authentication (ECP), AuthPoint does not apply policies that include a network location because AuthPoint cannot determine the IP address of the end user or the origin IP address. For Remote Desktop Protocol (RDP) connections, AuthPoint uses the IP address that connects to port 3389 or port 443 to determine if the authentication comes from a network location. If you configure RDP to use a port other than 3389 or 443, AuthPoint cannot identify the IP address of the end user. In this scenario, policies with a network location do not apply to the authentication. Time Schedule Policy Objects Time schedule policy objects enable you to specify the dates and times when authentication policies apply to user authentications. You might configure a time schedule policy object if you want to: n Allow authentication only during specified times, such as work hours. n Restrict authentication during specific times, such as non-work hours and holidays. n Enforce different authentication requirements at different times. n Use a safe network location to allow users to bypass MFA when they authenticate from the office, but only during specified times, such as work hours. USE CASE: To allow users to log in without MFA during the workday, you create a time schedule for your organization’s work hours and add it to a new authentication policy that only requires password authentication. When you add a time schedule to an authentication policy, the policy only applies when a user authenticates during the specified time schedule. Users who only have a policy that includes a time schedule cannot get access to the resource when they authenticate outside the hours of that time schedule. Identity Security Essentials Study Guide 40 AuthPoint Authentication AuthPoint does not dynamically adjust for daylight saving time. When you configure a time schedule, you must select the Adjust for daylight saving time check box when daylight saving time applies, and clear the check box when daylight saving time does not apply. Geofence Policy Objects The geofence policy object enables you to specify a list of countries, and then configure authentication policies that only apply when users authenticate from those countries. You might do this if you want to enforce different MFA requirements for different locations, or if you want to block authentication from specific countries. USE CASE: To enforce stricter MFA requirements when users log in from Canada, you create a geofence for Canada and add it to a new authentication policy that requires push and password authentication. When you add a geofence to an authentication policy, the policy only applies to user authentications that come from a country specified in the geofence policy object. Users who only have a policy to allow access that includes a geofence cannot get access to the resource when they authenticate outside of the specified countries (because they do not have a policy that applies, not because authentication is denied). To support authentication with the geofence policy object, you must install these versions of the AuthPoint agents: n AuthPoint agent for Windows v2.7.1 or higher n AuthPoint agent for RD Web v1.4.2 or higher n AuthPoint agent for ADFS v1.2.0 or higher The AuthPoint agent for ADFS only supports geofence policy objects if you use the custom WG ADFS theme or another custom ADFS theme. You cannot use the default ADFS theme. To support the geofence policy object for RD Web, you must edit the webscripts-domain.js file on your RD Web Access server and configure the client to save the user location as a cookie on the RD Web server. This enables RD Web to send the user’s coordinates to AuthPoint when the user authenticates. Identity Security Essentials Study Guide 41 AuthPoint Authentication These resources do not support geofence: n AuthPoint agent for macOS n RADIUS For RADIUS authentication, policies that include a geofence policy object do not apply because AuthPoint cannot determine the IP address of the end user or the origin IP address. Geokinetics Policy Objects The geokinetics policy object enables you to create policy objects that compare the user's current location and the location of their last valid authentication. AuthPoint automatically denies authentications from a location the user could not have travelled to since their previous authentication, based on the distance and time between authentications. When you create a geokinetics policy object, you specify the maximum travel speed that is allowed. USE CASE: An attacker from another country has obtained a user’s login credentials and attempts to log in to a protected resource that is protected by MFA. The attacker uses social engineering or push bombing to get the user to approve the push notification. With geokinetics, even if the user approves the push, AuthPoint denies the authentication if the attacker is in a location that the user could not have travelled to in the time since they last authenticated. Geokinetics policy objects work differently than other policy objects because they apply after an authentication is complete. For other policy objects (geofence, time schedule, network locations), when you add the policy object to an authentication policy, the policy applies only to user authentications that match the conditions of the authentication and the policy objects. For example, if you add a specific network location to a policy, the policy applies only to user authentications that come from that network location. Geokinetics do not affect the conditions of an authentication, so when you add a geokinetics policy object to an authentication policy, you do not have to create a second policy without the geokinetics policy object. To support authentication with the geokinetics policy object, you must install these versions of the AuthPoint agents: n AuthPoint agent for Windows v2.7.1 or higher n AuthPoint agent for RD Web v1.4.2 or higher n AuthPoint agent for ADFS v1.2.0 or higher Identity Security Essentials Study Guide 42 AuthPoint Authentication To support the geokinetics policy object for RD Web, you must edit the webscripts-domain.js file on your RD Web Access server and configure the client to save the user location as a cookie on the RD Web server. This enables RD Web to send the user’s coordinates to AuthPoint when the user authenticates. These resources do not support geokinetics: n AuthPoint agent for macOS n RADIUS For RADIUS authentication, policies that include a geokinetics policy object do not apply because AuthPoint cannot determine the IP address of the end user or the origin IP address. Location Data for Geofence and Geokinetics Policy Objects When a user authenticates, location data identifies the area that the user is authenticating from. When you configure a geofence or geokinetics policy object, you can choose to allow location data with low accuracy. User locations identified from low accuracy data have a larger radius. For example, high accuracy location data might be accurate to within 10 meters of the actual location of the user, but low accuracy location data might only be accurate to within a kilometer of the actual location. For browser-based authentication, when a user authenticates the browser prompts them to share their location. If the user accepts, the browser sends the geographical coordinates of the user location to AuthPoint. AuthPoint associates the coordinates with a country and uses this information to determine which policies apply to the authentication. This is high accuracy location data. If the user does not accept the prompt to share their location, their location will be based on the IP address. AuthPoint considers location data based on IP address to be low accuracy. These resources use browser-based location data: n IdP portal n SAML n RD Web n ADFS AuthPoint supports location data based on the IP address for these types of authentication only: n RDP connections n Firebox resources n Windows virtual machines (VMs) Identity Security Essentials Study Guide 43 AuthPoint Authentication The AuthPoint agent for Windows uses the Windows API to get the location of the user. If the agent is installed on a Windows VM, the location data is always based on the IP address (low accuracy). Identity Security Essentials Study Guide 44 AuthPoint Authentication Password Management With AuthPoint password management, you can save your login credentials in a personal password vault that is available from the AuthPoint mobile app and the AuthPoint browser extension. With this feature, the only password you have to remember is the password to your vault, and you can use the AuthPoint app and browser extension to autofill your credentials when you log in. From the password manager, you can: n See and manage the passwords in your vault o Add passwords to your vault o Import and export existing passwords to your vault o Generate a new password o Share a password n Manage your password vault o Synchronize your password vault o Evaluate the security of your passwords o Manage sites that autofill credentials o Manage password vault sessions o Reset your vault password If you have multiple AuthPoint user accounts, each user account has a separate password vault. In the AuthPoint mobile app, you can only use the password vaults for AuthPoint user accounts that have an active token on the mobile device. To access your vault in the browser extension, you must first authenticate to the IdP portal or a SAML resource. If your AuthPoint user account is blocked or deleted, you cannot access your password vault. When You First Log In The first time you log in to the password manager, you must create a vault password to protect your password vault. The vault password is a unique password that you require to log in to the password manager from the mobile app and browser extension. The vault password is separate from your AuthPoint password. After you create a vault password, you receive a recovery key that you can use to recover your data if you forget your vault password. You cannot reset your password without the recovery key. Identity Security Essentials Study Guide 45 AuthPoint Authentication See and Manage Your Passwords On the Passwords page, you can see and manage the passwords in your password vault. Your password vault displays your Private passwords and your Corporate passwords separately. This helps you organize your passwords. When you add a password, you choose which list the password is shown in. Click on a password to open that website and log in with the credentials saved in your vault. You can use the generate password feature to quickly generate secure new passwords. You can specify length and character requirements for the generated password. Generated passwords are more secure because they consist of a random string of characters, which is difficult for attackers to guess. When you edit a password, you can see the date the password was created and the date the password was last updated. Sometimes, you might not see all passwords if you add or edit a password in your password vault on one device, and then open your password vault on another device. If you do not see all your passwords in your password vault, synchronize your account. Import and Export Existing Passwords to Your Vault To save time, you can import saved credentials from third-party password managers, such as Google Chrome, into your AuthPoint password vault. You can also export the passwords from your Private AuthPoint password vault to a.CSV file. You might do this if you leave your company and want to save your personal passwords. If your AuthPoint user account is blocked or deleted, you cannot access your password vault or export your passwords. If your AuthPoint user account is deleted, your password vault is also deleted. Share a Password You can share a password in your vault with other users from your company. You might do this if you have a shared account that is used by multiple people, such as a social media account. You can only share passwords from your Corporate vault. You cannot share passwords from your Private vault. Identity Security Essentials Study Guide 46 AuthPoint Authentication When you share a password, the users you share the password with must accept the invitation. Users that accept the shared credentials see the password in their vault and the Sharing Center. The Sharing Center is a page in your password vault where can you see and manage the passwords that you have shared with other users, and the passwords that other users have shared with you. If users reject a shared password request, the password is not added to their vault. You do not receive notifications when users accept or reject a shared password request. Users that receive a shared password cannot make changes to the shared password. If the owner of the password makes changes, the password automatically updates for all users that it is shared with. When you share a password, be aware of these requirements: n You can share passwords with only users who have an active AuthPoint user account with your company, and have logged in to their password vault at least once. n You must have an Internet connection to share a password. n You cannot share passwords that have been shared with you. You can choose to no longer share a password at any time. When you stop sharing a password with a user, AuthPoint immediately removes it from their password vault. Evaluate the Security of Your Passwords Use the Security Report feature to evaluate the strength of your passwords. In the password manager, the Security Report page shows you this information: n Leaked Passwords — The number of passwords you use that have been exposed in a data breach. n Weak Passwords — The number of passwords you have that are not considered complex. These passwords are easy to guess or vulnerable to brute force attacks. n Duplicate Passwords — The number of passwords that you use for more than one account. Using the same password for multiple accounts leaves you more vulnerable. n Old Passwords — The number of passwords that you have not changed in a long time. We recommend that you change your passwords periodically for each account. You can tap on a report item to see more information. You can also tap Start a leaked password check to learn if any of your passwords have been compromised in a known data breach. The leaked passwords check includes passwords that have been exposed directly and indirectly. For example, if you have an account with the password asdf1234, and another person's account with that same password was part of a data breach, your account is also considered leaked. Identity Security Essentials Study Guide 47 AuthPoint Authentication Manage Password Vault Sessions The Manage Sessions feature enables you to remotely end specific password manager browser and app sessions to protect your data and prevent access to your password vault by unauthorized users. When you end a session, that session logs out of the password vault immediately and you must authenticate with your user name and vault password to log in again. You can also choose to log out from all websites, close all open tabs, and delete the browsing history for that browser session. You might do this if you forget to log out of your password vault on a shared device. When you view a specific session, you can see this information: n Device type n Device OS n IP address n Approximate location of the device (based on the IP address) Manage Sites that Autofill Credentials Excluded sites are websites that AuthPoint does not store or autofill credentials for. You might configure this if you do not want to be prompted to save your password for a specific website. You can see and manage your excluded sites from the Excluded Sites page in the AuthPoint browser extension. This feature is not available in the AuthPoint mobile app. Manage Unique Sites If you have different accounts for multiple subdomains of a website, such as admin.example.com and mail.example.com or example.com/admin and example.com/mail, you can set each subdomain as a unique site to keep the credentials separate in your password vault. You can see and manage your unique sites from the Unique Sites page in the AuthPoint browser extension. This feature is not available in the AuthPoint mobile app. Identity Security Essentials Study Guide 48 AuthPoint Authentication Corporate Credentials You can create Corporate Credentials to share a direct link to a specific website with specific user groups. You might do this for websites or applications that do not support SAML or that are not managed by your company. For example, you might create Corporate Credentials to provide users with a link in the IdP portal to the website they use to manage their 401k accounts. When you create Corporate Credentials, you can choose to share the login credentials for that website or account. For example, you might share the credentials to a corporate social media account with your marketing team. Corporate Credentials are available in the IdP portal for users who are members of the groups that the Corporate Credential is shared with. If you choose to share login credentials, the Corporate Credentials are also available in the password vault. If you choose to share login credentials, each user must accept the shared Corporate Credentials in the password manager. Identity Security Essentials Study Guide 49 AuthPoint Authentication Monitor Your Domains for Data Breaches A data breach is the intentional or unintentional release of secure or confidential information to an untrusted environment such as the dark web. AuthPoint Total Identity Security includes a Dark Web Monitor service to help you monitor and protect your domains. With the Dark Web Monitor service, WatchGuard actively monitors data breaches for up to three of your domains. If a data breach is found to include your email addresses and domains, you receive a notification. When you add a domain, you must select one of these email addresses for authorization requests: n security@ n webmaster@ n postmaster@ n hostmaster@ To make sure that you own the domain, WatchGuard sends an authorization request to the selected email address. You cannot specify a custom email address for authorization requests. If you do not have any of these email addresses for the domain, you must create one. If you update your domain in WatchGuard Cloud, you receive and must approve another authorization request before the changes take effect. Identity Security Essentials Study Guide 50 AuthPoint Resources AuthPoint Resources The content in this section covers how to set up and configure AuthPoint multi-factor authentication to protect the applications and services that your users connect to. You will learn about the AuthPoint Gateway and each type of AuthPoint resource. In this section, you learn about: n IdP portal resource configuration n Logon app configuration n RD Web n AuthPoint Gateway n RADIUS communication n RADIUS client resources n SAML resource configuration n SAML applications n ADFS Identity Security Essentials Study Guide 51 AuthPoint Resources IdP Portal Resource The AuthPoint Identity Provider (IdP) portal is a page that shows users a list of SAML resources and Corporate Credentials available to them. To configure the IdP portal, you add an IdP resource, and then assign it to one or more user groups. When users log in to the IdP portal, they see the SAML resources and Corporate Credentials they have access to. Users can click an application to open it in a new tab. Corporate Credentials with shared login credentials are also available in the password vault. Example of an IdP portal with SAML resources. Users authenticate to the IdP portal. When the user selects a resource, AuthPoint sends the credentials automatically. If a SAML resource requires a different authentication method than the method used for authentication to the IdP portal, the user must complete the additional authentication step to access the resource. Identity Security Essentials Study Guide 52 AuthPoint Resources Diagram of authentication flow for the IdP Portal resource. You can configure only one IdP portal resource. Add an authentication policy for the IdP Portal resource to one or more user groups. Users in those groups can then log in to the IdP portal to connect to applications available to them. Manually created AuthPoint users can change their passwords on the IdP portal page. User accounts synced from an Active Directory or LDAP database cannot reset or change their own passwords. Users can also navigate to the IdP portal to: n Activate a software token. n Activate the Forgot Token feature. These options are available on the authentication page, which opens when users log in to a protected resource that uses SAML authentication, such as the IdP portal. It is where users choose an authentication method. The option to activate a token is only available when users have a pending token that they have not activated. Identity Security Essentials Study Guide 53 AuthPoint Resources Logon App Resources The Logon app is used to require authentication when users log on to a computer or server. This includes protection for RDP and RD Gateway. In the logon screen, users must type their password or authenticate with Windows Hello and then select one of the allowed methods of authentication (push notification, one-time password, or QR code). There are two parts to the Logon app: n The application you install on a computer or server (AuthPoint Agent) n The resource you configure in AuthPoint The Logon app adds MFA to Windows and Mac computers. The authentication flow with the AuthPoint Logon app. To set up the Logon app, you must: n Configure a Logon app resource in the AuthPoint management UI. n Configure an authentication policy for the Logon app resource or add the Logon app resource to your existing authentication policies. n Download the installer and the configuration file for the Logon app (these must be saved in the same directory unless you use the command line for installation and set the contents or path of the config file as a parameter). When you configure the Logon app resource, you can enable the Access for Non-AuthPoint Users feature to allow users who do not have an AuthPoint user account to log in to protected computers without MFA. You can choose to allow all non-AuthPoint users to log in without MFA, or you can specify up to 50 specific non-AuthPoint users that can log in without MFA. Non-AuthPoint users can only log in without MFA if an AuthPoint user account with the same user name does not exist. To install the Logon app, you can run the installer manually or you can run the installer with the command line. You can also use the command line option for deployment through Active Directory Group Policy Objects (GPO). Identity Security Essentials Study Guide 54 AuthPoint Resources The Logon app does not automatically upgrade to the latest version. To upgrade the Logon app, you must download and install the updated version of the agent for Windows or the agent for macOS. When you install the Logon app, the computer must have an Internet connection before the user logs on for the first time. The Logon app must be connected to the Internet so it can communicate with AuthPoint to verify the authentication policies. After the first successful authentication, the computer stores the most recent authentication policies locally. The Logon app uses this local policy set when the user authenticates offline, and updates it when the computer has an Internet connection. Because push notifications require Internet access, we recommend that the authentication policy for the Logon app includes the QR code or OTP authentication options so users can authenticate when they are not connected to the Internet. You can use one Logon app resource to create authentication policies for all of your groups. You do not need to configure additional Logon app resources for each computer that you install the Logon app on, regardless of the OS. If you have only one Logon app resource, you can use the same configuration file for each installation of the Logon app. Identity Security Essentials Study Guide 55 AuthPoint Resources Authenticate with the Logon App The Logon app supports both local and domain user accounts. To authenticate and log on, all domain and local users must have an active AuthPoint user account with an authentication policy for the Logon app. Users that do not have an AuthPoint user account with an active token cannot authenticate and log on to a computer with the Logon app installed unless you enable the option to allow specific non-AuthPoint users to log in without MFA. A user must first log in with Windows or Mac credentials. If those credentials are valid, the user must select a second authentication option. AuthPoint Authentication Options If the computer does not have an Internet connection, the user must select the One Time Password or QR Code authentication option to authenticate offline. If the user does not have access to their mobile device, the user can select Forgot Token to start a process for the administrator to temporarily disable MFA for that user account for a specific amount of time. For the Logon app, the IP address used for network location policy objects can vary. For a local authentication, when a user logs on to a computer with the Logon app installed AuthPoint identifies the authentication based on the user's public IP address. When a user uses RDP to connect to a computer with the Logon app installed, AuthPoint identifies the authentication based on the private IP address of the source computer that the user connects from. With Microsoft Remote Desktop Services (RDS), there are multiple ways that users can reach a computer through RDS. The method that is used determines whether AuthPoint identifies the authentication based on the public or private IP address. Identity Security Essentials Study Guide 56 AuthPoint Resources RD Web Resource RD Web (Remote Desktop Web Access) is a portal that enables users to download applications to run software remotely through the RD Gateway. The AuthPoint agent for RD Web adds the protection of multi-factor authentication to RD Web. When a user types their user name and password on the RD Web page, the agent directs the request to AuthPoint. The single sign-on page loads with available authentication options based on the authentication policy for the AuthPoint group(s) the user belongs to. Diagram of authentication flow for RD Web with AuthPoint When you configure an RD Web resource in the AuthPoint management UI, you must select an AuthPoint identity provider certificate to use for SAML authentication. This is for SAML applications that support RD Web. RD Web Authentication The AuthPoint RD Web resource enables MFA for user authentication to the RD Web Access portal. From the RD Web access portal, users download applications for remote access to computers and applications. Users can run those applications without a connection to the RD Web access portal. When a user runs a downloaded RD Web application, the user does not connect to the RD Web portal again, and MFA is not required. To require MFA when users connect to a remote desktop through an RD Web application, install the AuthPoint Agent on the remote computer that the RD Web application connects to. Identity Security Essentials Study Guide 57 AuthPoint Gateway The AuthPoint Gateway is a lightweight software application that you install on your network so that AuthPoint can communicate with your RADIUS clients, the AuthPoint agent for ADFS, and your Active Directory or LDAP database. The Gateway operates as a RADIUS server for RADIUS authentication, and can also import LDAP users and validate their passwords. Diagram of communications through the AuthPoint Gateway The Gateway provides a secure link between the AuthPoint service in the cloud and the local authentication services and clients on your network. The Gateway makes a secure connection to AuthPoint for user synchronization and authentication requests. Install a Gateway on a computer on your network for integration with: RADIUS The Gateway is a RADIUS server that can accept authentication requests from RADIUS clients. LDAP The Gateway imports users from the domain controller. The Gateway also validates user credentials each time an LDAP user logs in to an AuthPoint resource that requires a password. ADFS The Gateway communicates with an installed AuthPoint ADFS agent to enable MFA for an existing ADFS deployment. Each Gateway can communicate with RADIUS, LDAP, and ADFS resources. You can also configure multiple Gateways for the same resources for high availability. Identity Security Essentials Study Guide 58 Configure an AuthPoint Gateway From the Gateway page in the AuthPoint management UI, you can add a Gateway. When you configure a Gateway, you select RADIUS resources, ADFS resources, and LDAP external entities you want the gateway to communicate with. The Add Gateway page where you add resources. You cannot select the same LDAP external identity in more than one AuthPoint Gateway. In the Gateway configuration you can specify the RADIUS port. The default port used by the Gateway (RADIUS server) to communicate with the RADIUS clients is port 1812. If you already have a RADIUS server installed that uses port 1812 (or 1645), you must use a different port for the AuthPoint Gateway. Identity Security Essentials Study Guide 59 After you add the Gateway, copy the registration key, which you need to install the Gateway. The Gateway registration key is a one-time use key. If your Gateway installation fails, you must generate a new registration key before you try to install the Gateway again. Install the Gateway Software Before you install the AuthPoint Gateway, make sure that: n The computer you will install the Gateway on has Internet access. n The computer you will install the Gateway on can communicate with your RADIUS clients and Active Directory or LDAP database. n You have the registration key for your Gateway. When you install the AuthPoint Gateway, you must provide the Gateway registration key. The key is used to register the Gateway and enables WatchGuard Cloud (AuthPoint) to identify and communicate with the installed Gateway. The installer connects to your AuthPoint account and downloads the Gateway configuration. For the Gateway to work, you might have to create a new inbound firewall rule for the UDP RADIUS port that you configured or disable the Windows firewall. The Gateway runs as four services. The Gateway service handles connections to your AuthPoint account in the cloud and sends configuration settings to the other three services, which handle RADIUS, ADFS, and LDAP communication on the local network. Monitor Gateway Status On the Gateway page, you can see the s

Use Quizgecko on...
Browser
Browser