AuthPoint user without email address

edited June 2022 in AuthPoint - General

We need to install MFA Authpoint on the servers. Only admins can login to servers. Admins cannot have email address. Will it be able to have a user use MFA and not have email address? How can we activate mobile token for admins?
Thanks

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @dritanb

    Authpoint uses the contact email in the general tab of the user properties -- it can be set to anything.

    Users without an email can be manually created (so long as the username matches exactly) and if you log into the IDP portal you can activate there as well.

    -James Carson
    WatchGuard Customer Support

  • Hi @james.carson

    @james.carson said:
    Hi @dritanb

    Users without an email can be manually created (so long as the username matches exactly) and if you log into the IDP portal you can activate there as well.

    What if these users are local AD users? Then this option will not work.
    Are you saying, we can add a non-existing e-mail to AD user accounts, let it get synced to the cloud and login to the IDP portal with the ad username and password to activate the token?

    /Robert

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @rv@kaufmann.dk
    Local users can work if the username matches and the user is added to authpoint manually.

    If they want the user to sync, you can use any email in that field (gmail, outlook.com, etc) it doesn't have to be tied to the user's exchange, etc.

    -James Carson
    WatchGuard Customer Support

  • The total lack of integration without a potential MASSIVE weak link is why we moved away from AuthPoint (among other reasons). WG will go on and on about depreciated authentication (like text to mobile) and yet let you use a gmail address to get a password reset or token.

    We have a number of reasons that we went to other options (I wont say brands as I have been reprimanded for doing that). We did try keyfobs for some folks who are not in the US (SID800) and had issues with keeping time the same (odd I know)....it was not much more than a continual support job and day to day managing of something that should be pretty hands off.

  • @TestingTester

    @TestingTester said:
    The total lack of integration without a potential MASSIVE weak link is why we moved away from AuthPoint (among other reasons).

    can you elaborate?

    WG will go on and on about depreciated authentication (like text to mobile) and yet let you use a gmail address to get a password reset or token.
    Is this not more a internal company policy what you allow to use for e-mails?

    We have a number of reasons that we went to other options

    can you elaborate?

    (I wont say brands as I have been reprimanded for doing that). We did try keyfobs for some folks who are not in the US (SID800) and had issues with keeping time the same (odd I know)....it was not much more than a continual support job and day to day managing of something that should be pretty hands off.
    I am quit happy with our solution and have nearly zero support from end users.

    /Robert

  • Sure, when trying to use AuthPoint to environments that were not of "US Standards" (their term)...so, we had a group of staff in Brazil who did not have their own cellular devices to install the App on (in the US pretty much everyone has a mobile device with a phone number)...we then wanted to just text a code...like my bank does. WG did not support this to many of the numbers at hand and would claim that text credentials were "already compromised" ...but, would let us use gmail as an address...if something on the internet is "already compromised" it is anything and everything Google.

    Our solution was another vendor (Cisco) and using RSA keys to use the random numbers generated by the keys (that are in many nations including Brazil, Singapore, India and Pakistan). We tried them briefly with AuthPoint but there the theory was that LDAP was not fast enough to accept the credential in time for the client device.

    We are 99% WatchGuard at our edge devices but for some critical systems where we are Meraki. Going more and more Meraki infrastructure as we replace switches (Netgear and Cisco) and retire WAP as licenses expire and go to Meraki as well. No real desire to change to Meraki UTM as it would be a massive fire drill for most of the facilities I have to play with.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @TestingTester
    You are correct. We do not support OTP to text messages as it is deemed a very large security hole. For customers that don't or cant use phone based authentication, we offer both WatchGuard branded and 3rd party OTP fobs.

    You can find more information about this here:
    https://www.secplicity.org/2018/10/12/do-you-know-which-multi-factor-authentication-methods-are-insecure/

    With regards to passwords resets, you need to know both the user's email account, and have access to it. WatchGuard has no control over the email service customers choose to use. If you don't trust gmail, you're free to not use it and set policy on your network as such.

    -James Carson
    WatchGuard Customer Support

  • james.carson. Used to be 'paralysis by analysis'...now it is by paranoia. Seriously, end user support is OUTLANDISH for US staff and a chore for over seas staff. But, being as a very high percentage of over sea's staff do not have an Android or iPhone....we find ways to work. Best practices or not (according to some think tank somewhere)

    I swear, one more user complains about the "not trusted" message on the VPN client portal I am going to scream. Oddly, I never have that issue with FTE's who are on on US soil ;-)

  • @TestingTester said:
    james.carson. Used to be 'paralysis by analysis'...now it is by paranoia. Seriously, end user support is OUTLANDISH for US staff and a chore for over seas staff. But, being as a very high percentage of over sea's staff do not have an Android or iPhone....we find ways to work. Best practices or not (according to some think tank somewhere)

    I swear, one more user complains about the "not trusted" message on the VPN client portal I am going to scream. Oddly, I never have that issue with FTE's who are on on US soil ;-)

    We simply use the hardware tokens for staff with no phone or shared computer access, no big issue. And we use a 120 seconds authentication timeout.

    /Robert

  • rv - we tried to make the time out long and it just never worked out. Not sure why and it turned into a spinning circle of end user support. At least not with SSL VPN. IKEv2 was a bit more successful but many folks who are not in the US have ...um....'less than valid?' copies of Windows and did not want to get some of the updates to keep things current. No issues these days with our current solution (and when on WG using OpenVPN connect).

  • You are concerned abort Security and yet lets people Connect with stolen Windows OS and not updated OS. Maked no sense.
Sign In to comment.