AuthPoint user without email address
We need to install MFA Authpoint on the servers. Only admins can login to servers. Admins cannot have email address. Will it be able to have a user use MFA and not have email address? How can we activate mobile token for admins?
Thanks
0
Sign In to comment.
Comments
Hi @dritanb
Authpoint uses the contact email in the general tab of the user properties -- it can be set to anything.
Users without an email can be manually created (so long as the username matches exactly) and if you log into the IDP portal you can activate there as well.
-James Carson
WatchGuard Customer Support
Hi @james.carson
What if these users are local AD users? Then this option will not work.
Are you saying, we can add a non-existing e-mail to AD user accounts, let it get synced to the cloud and login to the IDP portal with the ad username and password to activate the token?
/Robert
@rv@kaufmann.dk
Local users can work if the username matches and the user is added to authpoint manually.
If they want the user to sync, you can use any email in that field (gmail, outlook.com, etc) it doesn't have to be tied to the user's exchange, etc.
-James Carson
WatchGuard Customer Support
The total lack of integration without a potential MASSIVE weak link is why we moved away from AuthPoint (among other reasons). WG will go on and on about depreciated authentication (like text to mobile) and yet let you use a gmail address to get a password reset or token.
We have a number of reasons that we went to other options (I wont say brands as I have been reprimanded for doing that). We did try keyfobs for some folks who are not in the US (SID800) and had issues with keeping time the same (odd I know)....it was not much more than a continual support job and day to day managing of something that should be pretty hands off.
@TestingTester
can you elaborate?
WG will go on and on about depreciated authentication (like text to mobile) and yet let you use a gmail address to get a password reset or token.
Is this not more a internal company policy what you allow to use for e-mails?
can you elaborate?
(I wont say brands as I have been reprimanded for doing that). We did try keyfobs for some folks who are not in the US (SID800) and had issues with keeping time the same (odd I know)....it was not much more than a continual support job and day to day managing of something that should be pretty hands off.
I am quit happy with our solution and have nearly zero support from end users.
/Robert
Sure, when trying to use AuthPoint to environments that were not of "US Standards" (their term)...so, we had a group of staff in Brazil who did not have their own cellular devices to install the App on (in the US pretty much everyone has a mobile device with a phone number)...we then wanted to just text a code...like my bank does. WG did not support this to many of the numbers at hand and would claim that text credentials were "already compromised" ...but, would let us use gmail as an address...if something on the internet is "already compromised" it is anything and everything Google.
Our solution was another vendor (Cisco) and using RSA keys to use the random numbers generated by the keys (that are in many nations including Brazil, Singapore, India and Pakistan). We tried them briefly with AuthPoint but there the theory was that LDAP was not fast enough to accept the credential in time for the client device.
We are 99% WatchGuard at our edge devices but for some critical systems where we are Meraki. Going more and more Meraki infrastructure as we replace switches (Netgear and Cisco) and retire WAP as licenses expire and go to Meraki as well. No real desire to change to Meraki UTM as it would be a massive fire drill for most of the facilities I have to play with.
@TestingTester
You are correct. We do not support OTP to text messages as it is deemed a very large security hole. For customers that don't or cant use phone based authentication, we offer both WatchGuard branded and 3rd party OTP fobs.
You can find more information about this here:
https://www.secplicity.org/2018/10/12/do-you-know-which-multi-factor-authentication-methods-are-insecure/
With regards to passwords resets, you need to know both the user's email account, and have access to it. WatchGuard has no control over the email service customers choose to use. If you don't trust gmail, you're free to not use it and set policy on your network as such.
-James Carson
WatchGuard Customer Support
james.carson. Used to be 'paralysis by analysis'...now it is by paranoia. Seriously, end user support is OUTLANDISH for US staff and a chore for over seas staff. But, being as a very high percentage of over sea's staff do not have an Android or iPhone....we find ways to work. Best practices or not (according to some think tank somewhere)
I swear, one more user complains about the "not trusted" message on the VPN client portal I am going to scream. Oddly, I never have that issue with FTE's who are on on US soil ;-)
We simply use the hardware tokens for staff with no phone or shared computer access, no big issue. And we use a 120 seconds authentication timeout.
/Robert
rv - we tried to make the time out long and it just never worked out. Not sure why and it turned into a spinning circle of end user support. At least not with SSL VPN. IKEv2 was a bit more successful but many folks who are not in the US have ...um....'less than valid?' copies of Windows and did not want to get some of the updates to keep things current. No issues these days with our current solution (and when on WG using OpenVPN connect).