Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

Appendix B - Synchronizing FortiTokens

Under normal circumstances, it is not necessary to synchronize FortiToken unless the time on the host FortiAuthenticator system has been allowed to deviate from the correct time. It is essential that the time is accurate in order to prevent synchronization issues from occurring, therefore configuration of an NTP server is recommended.

The natural drift time of the FortiToken is accounted for automatically by the FortiAuthenticator. Every time a user logs in, the FortiAuthenticator calculates the drift, and if it is within +/- 1 (where 1 is a token cycle of 60 seconds), the drift is adjusted accordingly. Should the drift deviate by greater than 1 (i.e. the clock is more than 60 seconds out) since the last login, a manual synchronization is required.

Tooltip

If manual synchronization is required for multiple tokens, this could be a sign that the FortiAuthenticator time is inaccurate. Verify the current time and the NTP settings.

Administrator synchronization

It is possible for the administrator to synchronize a token for use on the FortiAuthenticator. This can be useful when new tokens have been issued which have been held in storage for an extended period of time or are being reissued to a new user.

To perform a drift adjustment on a FortiToken:
  1. In a browser, go to:
    https://<FortiAuthenticator-IP-Address>/admin/fac_auth/fortitokendrift/
  2. Select the FortiToken to adjust, then select Adjust Drift.
    The Adjust Token Drift window opens.
  3. Enter the required Time adjustment in minutes.
    Make sure to include a minus sign (-) for a negative value, but don’t use a plus sign (+) for a positive value.
  4. Select OK to adjust the token drift.

Key points to note during the synchronization process are:

  • Ensure that the FortiAuthenticator time is accurate before proceeding.
  • Ensure that the serial of the token you are synchronizing matches that on the reverse of the token.
  • Ensure that the token has not been used in the proceeding 60 seconds. All tokens are one-time passwords and cannot therefore be used to authenticate (successful or otherwise) and synchronize.
  • Once successfully synchronized, wait a further 60 seconds before attempting to log in. A token used to synchronize cannot be re-used to authenticate.

User synchronization

Should it be required, FortiAuthenticator provides a mechanism allowing the user to perform their own manual synchronization. The user should be allowed to access the FortiAuthenticator GUI (https://<FAC IP>/login/).

Upon logging into the FortiAuthenticator, the user will be prompted to enter their token PIN. If the token PIN is out of sync, they will be prompted to enter two consecutive PINs. If the user does not receive the prompt, the token is already correctly synchronized.

Appendix B - Synchronizing FortiTokens

Under normal circumstances, it is not necessary to synchronize FortiToken unless the time on the host FortiAuthenticator system has been allowed to deviate from the correct time. It is essential that the time is accurate in order to prevent synchronization issues from occurring, therefore configuration of an NTP server is recommended.

The natural drift time of the FortiToken is accounted for automatically by the FortiAuthenticator. Every time a user logs in, the FortiAuthenticator calculates the drift, and if it is within +/- 1 (where 1 is a token cycle of 60 seconds), the drift is adjusted accordingly. Should the drift deviate by greater than 1 (i.e. the clock is more than 60 seconds out) since the last login, a manual synchronization is required.

Tooltip

If manual synchronization is required for multiple tokens, this could be a sign that the FortiAuthenticator time is inaccurate. Verify the current time and the NTP settings.

Administrator synchronization

It is possible for the administrator to synchronize a token for use on the FortiAuthenticator. This can be useful when new tokens have been issued which have been held in storage for an extended period of time or are being reissued to a new user.

To perform a drift adjustment on a FortiToken:
  1. In a browser, go to:
    https://<FortiAuthenticator-IP-Address>/admin/fac_auth/fortitokendrift/
  2. Select the FortiToken to adjust, then select Adjust Drift.
    The Adjust Token Drift window opens.
  3. Enter the required Time adjustment in minutes.
    Make sure to include a minus sign (-) for a negative value, but don’t use a plus sign (+) for a positive value.
  4. Select OK to adjust the token drift.

Key points to note during the synchronization process are:

  • Ensure that the FortiAuthenticator time is accurate before proceeding.
  • Ensure that the serial of the token you are synchronizing matches that on the reverse of the token.
  • Ensure that the token has not been used in the proceeding 60 seconds. All tokens are one-time passwords and cannot therefore be used to authenticate (successful or otherwise) and synchronize.
  • Once successfully synchronized, wait a further 60 seconds before attempting to log in. A token used to synchronize cannot be re-used to authenticate.

User synchronization

Should it be required, FortiAuthenticator provides a mechanism allowing the user to perform their own manual synchronization. The user should be allowed to access the FortiAuthenticator GUI (https://<FAC IP>/login/).

Upon logging into the FortiAuthenticator, the user will be prompted to enter their token PIN. If the token PIN is out of sync, they will be prompted to enter two consecutive PINs. If the user does not receive the prompt, the token is already correctly synchronized.