Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAuthenticator 6.6.3 Administration Guide
    6.6.3
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.6
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.1
    4.2.0

    Tokens

    Tokens

    To configure token policy settings, go to Authentication > User Account Policies > Tokens.

    Configure the following settings:

    FIDO

    user verification

    Select from the following options to determine which type of user verification to instruct the end user's browser to use when registering/authenticating with FIDO:

    • preferred: The client can choose to enforce biometrics verification (default).

    • required: The client must enforce biometrics verification.

    • discouraged: The client is encouraged to not use biometrics verification.

    FortiTokens

    TOTP authentication window size

    Configure the length of time, plus or minus the current time, that a FortiToken code is deemed valid, from 1 - 60 minutes. The default is set to 1 minute.

    HOTP authentication window size

    Configure the count, or number of times, that the FortiToken passcode is deemed valid, from 1 - 100 counts. The default is set to 3 counts.

    TOTP sync window size

    Configure the period of time in which the entry of an invalid token can trigger a synchronization, from 5 - 480 minutes. The default is set to 60 minutes.

    If the token is incorrect according to the FortiToken valid window, but exists in the sync window, synchronization will be initiated.

    HOTP sync window size

    Configure the count, or number of times, that the entry of an invalid token can trigger a synchronization, from 5 - 500 counts. The default is set to 100 counts.

    If the token is incorrect according to the FortiToken valid window, but exists in the sync window, synchronization will be initiated.

    Use geolocation in FortiToken Mobile push notifications

    Enable or disable geolocation lookup for the user IP address (if possible).

    FortiToken Mobile Provisioning

    Activation timeout

    The activation timeout, a maximum of 30 days.

    Token size

    The token size, either 6 (set by default) or 8.

    Token algorithm

    Time-based One-time Password (TOTP, set by default) or Hash-based One-time Password (HOTP) algorithm.

    Time step

    The time step, either 60 (set by default) or 30.

    Require PIN

    Select whether or not to require a PIN, or to enforce a mandatory PIN.

    When set to Required (set by default), the user has the option to set a PIN, but doesn't have to set one. However, a user must set a PIN when set to Enforced, which cannot be deleted.

    PIN Length

    The PIN length, either 8, 6, or 4 (set by default).

    Provision mode

    Set the method of FortiToken Mobile token provisioning:

    • Online: Provision FortiToken Mobile token by connecting to the FortiCloud server.

      • Enable token transfer feature: Enable to let users securely transfer FortiToken Mobile tokens from one mobile device to another. See Transferring FortiToken Mobile tokens from old to new devices below.

      • Seed encryption passphrase: Passphrase to derive a seed encryption key from, for seed returned when provisioning a FortiToken Mobile via web service (REST API).

    • Offline: Air-gapped FortiAuthenticator devices can provision FortiToken Mobile tokens without connecting to the FortiCloud server.

      FortiToken Mobile license activation requires a temporary online connection to fortitokenmobile.fortinet.com.

      Offline token provisioning can be done by scanning QR code or manually entering an activation code obtained within the FortiAuthenticator administrator GUI or using the self-service portal.

    FortToken Mobile token transfer (Enable token transfer feature) and push features are unavailable when operating in the FortiToken Mobile offline mode.

    FortiAuthenticator rejects setting the Provision mode to Offline if :

    • An existing remote user synchronization rule is configured with FortiToken Mobile in the OTP method assignment priority, i.e., the FortiToken Mobile (assign an available token) option is enabled in Synchronization Attributes in Authentication > User Management > Remote User Sync Rules.

    • An existing user portal has Allow users to reconfigure their FortiToken Mobile option enabled (when FortiToken Revocation is enabled) in the Pre-Login Services pane in Authentication > Portals > Portals.

    FortiAuthenticator Agent Offline FortiToken Support

    Enable offline support

    Configure to allow the Windows Agent to cache future-dated tokens when the client's PC is offline. Enable this option to set the following:

    • Shared secret: Set the shared secret used in offline support.

    • TOTP cache size: Period of time after last login to pre-cache offline TOTP tokens, from 1 - 200 days. The default is set to 7 days.

    • HOTP cache size: Period of time after last login to pre-cache offline HOTP tokens, from 1 - 4000 counts. The default is set to 10 counts.

    Enable emergency codes

    Enable to allow the Windows Agent to use emergency codes.

    The emergency code helps users with 2FA who may find themselves without access to FortiToken, SMS, or email.

    Note: This option is disabled by default.

    Emergency codes valid for

    Configure the number of days for which an emergency code is valid, from 1 - 30. The default is set to 7.

    Email/SMS

    Token timeout

    Set a time after which a token code sent via email or SMS will be marked as expired, from 10 - 3600 seconds (or one hour). The default is set to 60 seconds.

    Transferring FortiToken Mobile tokens from old to new devices

    Changing devices requires the user to install new tokens on their new device because the unique device ID is used to form the seed decryption key.

    If you wipe data from your device, or upgrade your device, you will need to re-provision your accounts.

    The option to Enable token transfer feature is available under Authentication > User Account Policies > Tokens when the Provision mode is Online.

    If it is not enabled, FortiAuthenticator blocks all requests to Transfer Activation Code (see below).

    The process for transferring a token to a new device is as follows:

    1. The end user selects a new FortiToken Mobile menu option: Initiate Token Transfer.
    2. FortiToken Mobile requests a new "Token Transfer Request" service from FortiCare, and includes the token data.
    3. FortiCare stores the token data and creates a Transfer Activation Code.
    4. FortiCare signals back to FortiToken Mobile on the old device that "Transfer Initialization" is complete.
    5. On the old device, FortiToken Mobile sends a request to FortiAuthenticator for the Transfer Activation Code.
    6. FortiAuthenticator retrieves the Transfer Activation Code from FortiCare and signals back to FortiToken Mobile (on the old device) that the Transfer Activation Code request was successful.
    7. FortiAuthenticator sends either an email or SMS to the end user with the transfer code (as a QR code in the case of email).
    8. On the new device, the end user selects the FortiToken Mobile menu option Complete Token Transfer and enters the transfer code (or scans the QR code).
    9. FortiToken Mobile receives the token data from FortiCare and installs the token(s) on the new device.
      note iconAll tokens are removed on the old device after the transfer is complete.
    Previous
    Next

    Tokens

    Tokens

    To configure token policy settings, go to Authentication > User Account Policies > Tokens.

    Configure the following settings:

    FIDO

    user verification

    Select from the following options to determine which type of user verification to instruct the end user's browser to use when registering/authenticating with FIDO:

    • preferred: The client can choose to enforce biometrics verification (default).

    • required: The client must enforce biometrics verification.

    • discouraged: The client is encouraged to not use biometrics verification.

    FortiTokens

    TOTP authentication window size

    Configure the length of time, plus or minus the current time, that a FortiToken code is deemed valid, from 1 - 60 minutes. The default is set to 1 minute.

    HOTP authentication window size

    Configure the count, or number of times, that the FortiToken passcode is deemed valid, from 1 - 100 counts. The default is set to 3 counts.

    TOTP sync window size

    Configure the period of time in which the entry of an invalid token can trigger a synchronization, from 5 - 480 minutes. The default is set to 60 minutes.

    If the token is incorrect according to the FortiToken valid window, but exists in the sync window, synchronization will be initiated.

    HOTP sync window size

    Configure the count, or number of times, that the entry of an invalid token can trigger a synchronization, from 5 - 500 counts. The default is set to 100 counts.

    If the token is incorrect according to the FortiToken valid window, but exists in the sync window, synchronization will be initiated.

    Use geolocation in FortiToken Mobile push notifications

    Enable or disable geolocation lookup for the user IP address (if possible).

    FortiToken Mobile Provisioning

    Activation timeout

    The activation timeout, a maximum of 30 days.

    Token size

    The token size, either 6 (set by default) or 8.

    Token algorithm

    Time-based One-time Password (TOTP, set by default) or Hash-based One-time Password (HOTP) algorithm.

    Time step

    The time step, either 60 (set by default) or 30.

    Require PIN

    Select whether or not to require a PIN, or to enforce a mandatory PIN.

    When set to Required (set by default), the user has the option to set a PIN, but doesn't have to set one. However, a user must set a PIN when set to Enforced, which cannot be deleted.

    PIN Length

    The PIN length, either 8, 6, or 4 (set by default).

    Provision mode

    Set the method of FortiToken Mobile token provisioning:

    • Online: Provision FortiToken Mobile token by connecting to the FortiCloud server.

      • Enable token transfer feature: Enable to let users securely transfer FortiToken Mobile tokens from one mobile device to another. See Transferring FortiToken Mobile tokens from old to new devices below.

      • Seed encryption passphrase: Passphrase to derive a seed encryption key from, for seed returned when provisioning a FortiToken Mobile via web service (REST API).

    • Offline: Air-gapped FortiAuthenticator devices can provision FortiToken Mobile tokens without connecting to the FortiCloud server.

      FortiToken Mobile license activation requires a temporary online connection to fortitokenmobile.fortinet.com.

      Offline token provisioning can be done by scanning QR code or manually entering an activation code obtained within the FortiAuthenticator administrator GUI or using the self-service portal.

    FortToken Mobile token transfer (Enable token transfer feature) and push features are unavailable when operating in the FortiToken Mobile offline mode.

    FortiAuthenticator rejects setting the Provision mode to Offline if :

    • An existing remote user synchronization rule is configured with FortiToken Mobile in the OTP method assignment priority, i.e., the FortiToken Mobile (assign an available token) option is enabled in Synchronization Attributes in Authentication > User Management > Remote User Sync Rules.

    • An existing user portal has Allow users to reconfigure their FortiToken Mobile option enabled (when FortiToken Revocation is enabled) in the Pre-Login Services pane in Authentication > Portals > Portals.

    FortiAuthenticator Agent Offline FortiToken Support

    Enable offline support

    Configure to allow the Windows Agent to cache future-dated tokens when the client's PC is offline. Enable this option to set the following:

    • Shared secret: Set the shared secret used in offline support.

    • TOTP cache size: Period of time after last login to pre-cache offline TOTP tokens, from 1 - 200 days. The default is set to 7 days.

    • HOTP cache size: Period of time after last login to pre-cache offline HOTP tokens, from 1 - 4000 counts. The default is set to 10 counts.

    Enable emergency codes

    Enable to allow the Windows Agent to use emergency codes.

    The emergency code helps users with 2FA who may find themselves without access to FortiToken, SMS, or email.

    Note: This option is disabled by default.

    Emergency codes valid for

    Configure the number of days for which an emergency code is valid, from 1 - 30. The default is set to 7.

    Email/SMS

    Token timeout

    Set a time after which a token code sent via email or SMS will be marked as expired, from 10 - 3600 seconds (or one hour). The default is set to 60 seconds.

    Transferring FortiToken Mobile tokens from old to new devices

    Changing devices requires the user to install new tokens on their new device because the unique device ID is used to form the seed decryption key.

    If you wipe data from your device, or upgrade your device, you will need to re-provision your accounts.

    The option to Enable token transfer feature is available under Authentication > User Account Policies > Tokens when the Provision mode is Online.

    If it is not enabled, FortiAuthenticator blocks all requests to Transfer Activation Code (see below).

    The process for transferring a token to a new device is as follows:

    1. The end user selects a new FortiToken Mobile menu option: Initiate Token Transfer.
    2. FortiToken Mobile requests a new "Token Transfer Request" service from FortiCare, and includes the token data.
    3. FortiCare stores the token data and creates a Transfer Activation Code.
    4. FortiCare signals back to FortiToken Mobile on the old device that "Transfer Initialization" is complete.
    5. On the old device, FortiToken Mobile sends a request to FortiAuthenticator for the Transfer Activation Code.
    6. FortiAuthenticator retrieves the Transfer Activation Code from FortiCare and signals back to FortiToken Mobile (on the old device) that the Transfer Activation Code request was successful.
    7. FortiAuthenticator sends either an email or SMS to the end user with the transfer code (as a QR code in the case of email).
    8. On the new device, the end user selects the FortiToken Mobile menu option Complete Token Transfer and enters the transfer code (or scans the QR code).
    9. FortiToken Mobile receives the token data from FortiCare and installs the token(s) on the new device.
      note iconAll tokens are removed on the old device after the transfer is complete.
    Previous
    Next