FortiToken physical device and FortiToken Mobile
A FortiToken device is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit token passcode. FortiToken Mobile is an application for mobile devices that performs the same one-time password function as a FortiToken device.
Each FortiAuthenticator unit or VM is supplied with two trial FortiToken Mobile tokens. To obtain the free FortiToken Mobile tokens (if they have not been created dynamically on install), select Get FortiToken Mobile trial tokens when adding a FortiToken Mobile token. This may be required if, for example, you are upgrading an unlicensed FortiAuthenticator unit to a licensed one, as the old tokens associated with the unlicensed serial number will not be compatible with the new, licensed serial number. The tokens will still work, but they cannot be reassigned to a new user. In this case, you must delete the old tokens, and then generate new ones.
Time-based token passcodes require that FortiAuthenticator clock is accurate. If possible, configure the system time to synchronize with an NTP server.
To perform token-based authentication, the user must enter the token passcode. If the user’s username and password are also required, this is called two-factor authentication. The displayed code changes every 60 seconds.
FortiAuthenticator supports FortiToken OTP push notifications, or FTMv4 push notifications. Using FTMv4, when required to authenticate themselves, FortiToken Mobile users don't have to look-up a code in FortiToken and enter the code into their browser. Instead FortiToken Mobile is queried and the user just responds to accept the connection and the session is authenticated. |
FortiAuthenticator and FortiTokens
With FortiOS, FortiToken identifiers must be entered into the FortiGate unit, which then contacts FortiGuard servers to verify the information before activating them.
FortiAuthenticator on the other hand acts as a repository for all FortiToken devices used on your network. It is a single point of registration and synchronization for easier installation and maintenance.
To add FortiTokens manually:
- Go to Authentication > User Management > FortiTokens and select Create New.
- Select the Token type, either FortiToken Hardware or FortiToken Mobile.
- If FortiToken Hardware is selected, enter one or more token serial numbers in the Serial numbers field.
- If FortiToken Mobile, enter the Activation codes in the field provided, or select Get FortiToken Mobile free trial tokens to use temporary tokens.
- Select OK to add the FortiToken(s).
You can also import multiple tokens by selecting Import Multiple, or by selecting Add all FortiTokens from the same Purchase Order and entering a single token's serial number; all tokens associated with that purchase order will then be imported.
To import FortiTokens from a CSV file:
- From the FortiToken list, select Import.
- Do one of the following:
- Select Serial number file to load a CSV file that contains token serial numbers. FortiToken devices have a serial number barcode on them used to create the import file.
- Select Seed file to load a CSV file that contains the token serial numbers, encrypted seeds, and IV values.
- Select Choose File, find the configuration file, and select Open.
- Select OK to import the FortiTokens.
To import FortiTokens from a FortiGate unit:
- Export the FortiGate unit configuration to a file.
- From the FortiToken list, select Import.
- Select FortiGate configuration file.
- For Data to import, select either Import FortiToken Hardware only, Import FortiToken Hardware and only their associated users, or Import all FortiToken Hardware and users.
- Select Choose File, find the configuration file, and select Open.
- If the file is encrypted, enter the Password in the field provided.
- Select OK to import the FortiTokens.
To export FortiTokens:
- From the FortiToken list, select Export FTK Hardware.
- Save the file to your computer.
Monitoring FortiTokens
To monitor the total number of FortiToken devices registered on FortiAuthenticator, as well as the number of disabled FortiTokens, go to System > Dashboard > Status and view the User Inventory widget.
You can also view the list of FortiTokens, their status, token clock drift, and which user they are assigned to from the FortiToken list found at Authentication > User Management > FortiTokens.
FortiToken device maintenance
Go to Authentication > User Management > FortiTokens, then select the FortiToken you need to perform maintenance and select Edit. The following actions can be performed:
- Comments can be added for FortiToken.
- The device can be locked if it has been reported lost or stolen.
- The device can be unlocked if it is recovered.
- The device can be synchronized.
- The device history can be viewed, showing all commands applied to this FortiToken.
A reason for locking the device must be entered, and a temporary SMS token can be provided.
Synchronize the FortiAuthenticator and the FortiToken device when the device clock has drifted. This ensures that the device provides the token code that FortiAuthenticator expects, as the codes are time-based. Fortinet recommends synchronizing all new FortiTokens.
FortiToken drift adjustment
When FortiAuthenticator and FortiTokens have been initialized prior to setting an NTP server, the time difference can be too large to correct with the synchronize function, forcing all tokens to resynchronize. To avoid this, selected tokens can be manually drift shifted.
To perform time drift adjustment on a FortiToken:
- In a browser, go to:
- Select the FortiToken to adjust, then select Adjust Drift. The Adjust Token Drift window opens.
- Enter the required Time adjustment in minutes.
- Select OK to adjust the token drift.
https://<FortiAuthenticator-IP-Address>/admin/fac_auth/fortitokendrift/
Make sure to include a minus sign (-) for a negative value, but don’t use a plus sign (+) for a positive value.