Fortinet white logo
Fortinet white logo

FortiToken physical device and FortiToken Mobile

FortiToken physical device and FortiToken Mobile

A FortiToken device is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit token passcode. FortiToken Mobile is an application for mobile devices that performs the same one-time password function as a FortiToken device.

Each FortiAuthenticator unit or VM is supplied with two trial FortiToken Mobile tokens. To obtain the free FortiToken Mobile tokens (if they have not been created dynamically on install), select Get FortiToken Mobile trial tokens when adding a FortiToken Mobile token. This may be required if, for example, you are upgrading an unlicensed FortiAuthenticator unit to a licensed one, as the old tokens associated with the unlicensed serial number will not be compatible with the new, licensed serial number. The tokens will still work, but they cannot be reassigned to a new user. In this case, you must delete the old tokens, and then generate new ones.

Time-based token passcodes require that FortiAuthenticator clock is accurate. If possible, configure the system time to synchronize with an NTP server.

To perform token-based authentication, the user must enter the token passcode. If the user’s username and password are also required, this is called two-factor authentication. The displayed code changes every 60 seconds.

note icon FortiAuthenticator supports FortiToken OTP push notifications, or FTMv4 push notifications. Using FTMv4, when required to authenticate themselves, FortiToken Mobile users don't have to look-up a code in FortiToken and enter the code into their browser. Instead FortiToken Mobile is queried and the user just responds to accept the connection and the session is authenticated.

FortiAuthenticator and FortiTokens

With FortiOS, FortiToken identifiers must be entered into the FortiGate unit, which then contacts FortiGuard servers to verify the information before activating them.

FortiAuthenticator on the other hand acts as a repository for all FortiToken devices used on your network. It is a single point of registration and synchronization for easier installation and maintenance.

To register FortiTokens, you must have a valid FortiGuard connection, otherwise any FortiTokens you enter will have an Inactive status. After the FortiTokens are registered, the connection to FortiGuard is no longer essential.

If a token authentication fails, check that the system time on FortiAuthenticator is correct and re-synchronize the FortiToken.

To add FortiTokens manually:
  1. Go to Authentication > User Management > FortiTokens and select Create New.
  2. Select the Token type, either FortiToken Hardware or FortiToken Mobile.
  3. If FortiToken Hardware is selected, enter one or more token serial numbers in the Serial numbers field.
  4. You can also import multiple tokens by selecting Import Multiple, or by selecting Add all FortiTokens from the same Purchase Order and entering a single token's serial number; all tokens associated with that purchase order will then be imported.

  5. If FortiToken Mobile, enter the Activation codes in the field provided, or select Get FortiToken Mobile free trial tokens to use temporary tokens.
  6. Select OK to add the FortiToken(s).
To import FortiTokens from a CSV file:
  1. From the FortiToken list, select Import.
  2. Do one of the following:
    • Select Serial number file to load a CSV file that contains token serial numbers. FortiToken devices have a serial number barcode on them used to create the import file.
    • Select Seed file to load a CSV file that contains the token serial numbers, encrypted seeds, and IV values.
  3. Select Choose File, find the configuration file, and select Open.
  4. Select OK to import the FortiTokens.
To import FortiTokens from a FortiGate unit:
  1. Export the FortiGate unit configuration to a file.
  2. From the FortiToken list, select Import.
  3. Select FortiGate configuration file.
  4. For Data to import, select either Import FortiToken Hardware only, Import FortiToken Hardware and only their associated users, or Import all FortiToken Hardware and users.
  5. Select Choose File, find the configuration file, and select Open.
  6. If the file is encrypted, enter the Password in the field provided.
  7. Select OK to import the FortiTokens.
To export FortiTokens:
  1. From the FortiToken list, select Export FTK Hardware.
  2. Save the file to your computer.

Monitoring FortiTokens

To monitor the total number of FortiToken devices registered on FortiAuthenticator, as well as the number of disabled FortiTokens, go to System > Dashboard > Status and view the User Inventory widget.

You can also view the list of FortiTokens, their status, token clock drift, and which user they are assigned to from the FortiToken list found at Authentication > User Management > FortiTokens.

FortiToken device maintenance

Go to Authentication > User Management > FortiTokens, then select the FortiToken you need to perform maintenance and select Edit. The following actions can be performed:

  • Comments can be added for FortiToken.
  • The device can be locked if it has been reported lost or stolen.
  • A reason for locking the device must be entered, and a temporary SMS token can be provided.

  • The device can be unlocked if it is recovered.
  • The device can be synchronized.
  • Synchronize the FortiAuthenticator and the FortiToken device when the device clock has drifted. This ensures that the device provides the token code that FortiAuthenticator expects, as the codes are time-based. Fortinet recommends synchronizing all new FortiTokens.

  • The device history can be viewed, showing all commands applied to this FortiToken.

FortiToken drift adjustment

When FortiAuthenticator and FortiTokens have been initialized prior to setting an NTP server, the time difference can be too large to correct with the synchronize function, forcing all tokens to resynchronize. To avoid this, selected tokens can be manually drift shifted.

caution icon

The following procedure is intended for use only in special cases where some FortiTokens are severely out-of-sync, for example, when a token is switched from manual configuration to NTP control. Under normal circumstances, this is not required.

Only activated FortiTokens can be adjusted.

To perform time drift adjustment on a FortiToken:
  1. In a browser, go to:
  2. https://<FortiAuthenticator-IP-Address>/admin/fac_auth/fortitokendrift/

  3. Select the FortiToken to adjust, then select Adjust Drift. The Adjust Token Drift window opens.
  4. Enter the required Time adjustment in minutes.
  5. Make sure to include a minus sign (-) for a negative value, but don’t use a plus sign (+) for a positive value.

  6. Select OK to adjust the token drift.

FortiToken physical device and FortiToken Mobile

FortiToken physical device and FortiToken Mobile

A FortiToken device is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit token passcode. FortiToken Mobile is an application for mobile devices that performs the same one-time password function as a FortiToken device.

Each FortiAuthenticator unit or VM is supplied with two trial FortiToken Mobile tokens. To obtain the free FortiToken Mobile tokens (if they have not been created dynamically on install), select Get FortiToken Mobile trial tokens when adding a FortiToken Mobile token. This may be required if, for example, you are upgrading an unlicensed FortiAuthenticator unit to a licensed one, as the old tokens associated with the unlicensed serial number will not be compatible with the new, licensed serial number. The tokens will still work, but they cannot be reassigned to a new user. In this case, you must delete the old tokens, and then generate new ones.

Time-based token passcodes require that FortiAuthenticator clock is accurate. If possible, configure the system time to synchronize with an NTP server.

To perform token-based authentication, the user must enter the token passcode. If the user’s username and password are also required, this is called two-factor authentication. The displayed code changes every 60 seconds.

note icon FortiAuthenticator supports FortiToken OTP push notifications, or FTMv4 push notifications. Using FTMv4, when required to authenticate themselves, FortiToken Mobile users don't have to look-up a code in FortiToken and enter the code into their browser. Instead FortiToken Mobile is queried and the user just responds to accept the connection and the session is authenticated.

FortiAuthenticator and FortiTokens

With FortiOS, FortiToken identifiers must be entered into the FortiGate unit, which then contacts FortiGuard servers to verify the information before activating them.

FortiAuthenticator on the other hand acts as a repository for all FortiToken devices used on your network. It is a single point of registration and synchronization for easier installation and maintenance.

To register FortiTokens, you must have a valid FortiGuard connection, otherwise any FortiTokens you enter will have an Inactive status. After the FortiTokens are registered, the connection to FortiGuard is no longer essential.

If a token authentication fails, check that the system time on FortiAuthenticator is correct and re-synchronize the FortiToken.

To add FortiTokens manually:
  1. Go to Authentication > User Management > FortiTokens and select Create New.
  2. Select the Token type, either FortiToken Hardware or FortiToken Mobile.
  3. If FortiToken Hardware is selected, enter one or more token serial numbers in the Serial numbers field.
  4. You can also import multiple tokens by selecting Import Multiple, or by selecting Add all FortiTokens from the same Purchase Order and entering a single token's serial number; all tokens associated with that purchase order will then be imported.

  5. If FortiToken Mobile, enter the Activation codes in the field provided, or select Get FortiToken Mobile free trial tokens to use temporary tokens.
  6. Select OK to add the FortiToken(s).
To import FortiTokens from a CSV file:
  1. From the FortiToken list, select Import.
  2. Do one of the following:
    • Select Serial number file to load a CSV file that contains token serial numbers. FortiToken devices have a serial number barcode on them used to create the import file.
    • Select Seed file to load a CSV file that contains the token serial numbers, encrypted seeds, and IV values.
  3. Select Choose File, find the configuration file, and select Open.
  4. Select OK to import the FortiTokens.
To import FortiTokens from a FortiGate unit:
  1. Export the FortiGate unit configuration to a file.
  2. From the FortiToken list, select Import.
  3. Select FortiGate configuration file.
  4. For Data to import, select either Import FortiToken Hardware only, Import FortiToken Hardware and only their associated users, or Import all FortiToken Hardware and users.
  5. Select Choose File, find the configuration file, and select Open.
  6. If the file is encrypted, enter the Password in the field provided.
  7. Select OK to import the FortiTokens.
To export FortiTokens:
  1. From the FortiToken list, select Export FTK Hardware.
  2. Save the file to your computer.

Monitoring FortiTokens

To monitor the total number of FortiToken devices registered on FortiAuthenticator, as well as the number of disabled FortiTokens, go to System > Dashboard > Status and view the User Inventory widget.

You can also view the list of FortiTokens, their status, token clock drift, and which user they are assigned to from the FortiToken list found at Authentication > User Management > FortiTokens.

FortiToken device maintenance

Go to Authentication > User Management > FortiTokens, then select the FortiToken you need to perform maintenance and select Edit. The following actions can be performed:

  • Comments can be added for FortiToken.
  • The device can be locked if it has been reported lost or stolen.
  • A reason for locking the device must be entered, and a temporary SMS token can be provided.

  • The device can be unlocked if it is recovered.
  • The device can be synchronized.
  • Synchronize the FortiAuthenticator and the FortiToken device when the device clock has drifted. This ensures that the device provides the token code that FortiAuthenticator expects, as the codes are time-based. Fortinet recommends synchronizing all new FortiTokens.

  • The device history can be viewed, showing all commands applied to this FortiToken.

FortiToken drift adjustment

When FortiAuthenticator and FortiTokens have been initialized prior to setting an NTP server, the time difference can be too large to correct with the synchronize function, forcing all tokens to resynchronize. To avoid this, selected tokens can be manually drift shifted.

caution icon

The following procedure is intended for use only in special cases where some FortiTokens are severely out-of-sync, for example, when a token is switched from manual configuration to NTP control. Under normal circumstances, this is not required.

Only activated FortiTokens can be adjusted.

To perform time drift adjustment on a FortiToken:
  1. In a browser, go to:
  2. https://<FortiAuthenticator-IP-Address>/admin/fac_auth/fortitokendrift/

  3. Select the FortiToken to adjust, then select Adjust Drift. The Adjust Token Drift window opens.
  4. Enter the required Time adjustment in minutes.
  5. Make sure to include a minus sign (-) for a negative value, but don’t use a plus sign (+) for a positive value.

  6. Select OK to adjust the token drift.