Multi-Factor Authentication

Multi-Factor Authentication (MFA) is an additional layer of security for the Check Point Portal. With MFA, Check Point Portal users must use an authentication app to confirm their identities before they get access to Check Point Portal. All new Check Point Portal accounts are created with MFA enabled.

Organizations can configure and manage MFA as part of Single Sign-On (SSO) with an Identity Provider. For example, some organizations require MFA as part of user authentication through Microsoft Entra ID. Thus, Check Point Portal users who log in through Microsoft Entra ID authenticate themselves with MFA according to the policy configured by the organization's Microsoft Entra ID administrator.

Creating and Editing MFA Configurations for Your User Account

This video shows you how to verify your phone number for the Check Point Portal and configure MFA using an authenticator app.

Watch the Video

  1. Download one of these authenticator applications to your mobile phone:

    • Google Authentication

    • Microsoft Authenticator

    • Authy

  2. In the Check Point Portal, open the Profile Settings page. In the upper-right corner:

    • Click the user name, or

    • Click the arrow next to the user name > Profile Settings.

    The Profile Settings window opens.

  3. Toggle the Enforce Multi-Factor Authentication switch to ON.

    The Enforce Multi-Factor Authentication configuration wizard opens.

  4. Follow the on-screen instructions to connect the authentication app to the Check Point Portal.

  5. If you want to require yourself to use MFA for all Check Point Portal accounts, keep the toggle on. If you want to use MFA only when a Primary Administrator of an account requires it, switch the toggle off.

  6. Click Finish to close the wizard.

If your organization uses SSO authentication and does not enable MFA as part of it, you can require yourself to use MFA every time you log in to the Check Point Portal. This is valid even when the Primary Administrator of the Check Point Portal account does not require MFA.

Configuring Multi-Factor Authentication or your account:

  1. In the Check Point Portal, open the Profile Settings page. For this, in the upper-right corner:

    • Click the user name, or

    • Click the arrow next to the user name and select Profile Settings.

    The Profile Settings window opens.

  2. Toggle the Multi-Factor Authentication switch to ON.

    If you do not have an authentication app configured, the Multi-Factor Authentication configuration wizard opens. Follow the steps in the wizard to configure an authentication app.

  3. Click Finish.

Managing Multi-Factor Authentication for Check Point Portal Users

This video shows you how to manage Multi-Factor Authentication for Check Point Portal users.

Watch the Video

A Check Point Portal Primary Administrator, Admin, or User Admin can view and reset a user's MFA configuration.

In the Check Point Portal, click > Users.

The 2FA configured column of the table shows one of these Multi-Factor Authentication configurations for each user:

Icon

MFA Configuration

The user does not have MFA configured.

By app

The user has MFA configured with an authenticator app.

The MFA table row shows you the MFA authentication method(s) that the user configured for themselves in Profile Settings. This table row is not related to the MFA enforcement policy for the account.

Enforcing MFA Policy for All Users

A Primary Administrator must set up an MFA policy for all users who log in to the Check Point Portal account with their username and password.

Notes:

  • Multi-Factor Authentication is required for all Check Point Portal accounts where users log in with a username and password. If you previously disabled MFA, you must re-enable and enforce it for those users.

  • For users who log in with SSO, MFA is optional.

This video shows you how to enforce MFA for all users of an Check Point Portal account.

Watch the Video

MFA enforcement settings on the Identity & Access page apply to all users of this Check Point Portal account. Only a Primary Administrator can change these settings.

  1. In the Check Point Portal, click > Identity & Access.

  2. In the Multi-Factor Authentication (MFA) to the Check Point Portal section, select when to enforce MFA:

    • Enforce MFA for all logins, including SSO - Users must use MFA to log in with username and password and for login with SSO through an Identity Provider.

    • Enforce MFA for login with username and password - This option is selected by default.

    A confirmation window opens.

  3. In the confirmation window, click Enforce.

A Primary Administrator can allow Check Point Portal users to bypass the MFA verification for 14 days after they successfully sign in to the Check Point Portal with a trusted device.

  1. In the Check Point Portal, click > Identity & Access.

  2. In the Multi-Factor Authentication (MFA) to the Check Point Portal section, select Allow trusted devices to skip MFA for 14 days.

When users enter their verification code on their login to the Check Point Portal, they can select the option Remember this device for 14 days.

Enforcing MFA Policy for Child Accounts using API

Because MFA is mandatory for all accounts that use a username and password to log in, primary administrators must enforce the MFA policy for all child accounts. These are Customer accounts managed by MSSPs or by a Customer Parent in a large enterprise.

Primary administrators that manage multiple accounts may need access to the child accounts that use API automation. To get access, the primary administrator needs an Account API key to create new API keys for child accounts. For more information, see API Keys.