AuthPoint password and token storage/generation

Hi all,
Our CFO has concerns with AuthPoint. We have it setup and working for our VPN connections to our main office. The CFO's concern is that the password and the token (AuthPoint app token) are both controlled by WatchGuard and hence a security issue: WatchGuard can recreate a token and a password to allow access to our network. Is there documentation somewhere that explains the security of password storage and token generation? I've looked but haven't found much that describes how the passwords are stored and how token generation happens (the nitty-gritty, not "open the app and point the camera at the QR code" kind of stuff).
Thanks!

Travis

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @T_Crook

    How each part of Authpoint works is a bit different, so it'll depend on what portions you're specifically using. There's an overview of AuthPoint here:

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/about-authpoint.html

    With regards to the password: If you're using LDAP Synced users, AuthPoint passes the user to AD for authentication -- it doesn't actually store or ever know anything but the password its using to sync the users. The only instance where the user's password is stored on AuthPoint server is if the user is a local AuthPoint account.

    You can see the account types here:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/add_user_accounts.html?

    WatchGuard Cloud accounts are stored in such a way that you would need to explicitly grant us access to your account in order for us to access it and revoke/issue/generate new QR Codes, or modify the account. When customers create cases that require we access accounts, we generally advise customers to create a new management account, delegate access to it, and provide that. This allows it to be audited (you can view what actions were taken by that user) and allows you to delete/disable the account afterwards if you desire.

    If you have any specific concerns, I'd suggest opening a support case. That'd allow any concern to be routed to the correct team and answered / acted on as necessary.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Hi James,
    Thank you for that great explanation! I will pass this along to our CFO. I believe it will relieve any concerns.

    Travis

Sign In to comment.