FortiToken is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit authentication code. This code is entered with a user’s username and password as two-factor authentication. The code displayed changes every 60 seconds, and when not in use the LCD screen is blank to extend the battery life.
You can attach a lanyard to the FortiToken and wear it around your neck, or store it with other electronic devices. Do not put the FortiToken on a key ring as the metal ring and other metal objects can damage it.
Any time information about the FortiToken is transmitted, it is encrypted. When the FortiGate receives the code that matches a particular FortiToken's serial number, it is delivered and stored encrypted.
The following illustrates the FortiToken two-factor authentication process:
- The user attempts to access a network resource.
- FortiOS matches the traffic to an authentication security policy and prompts the user for their username and password.
- The user enters their username and password.
- FortiOS verifies their credentials. If valid, it prompts the user for the FortiToken code.
- The user views the current code on their FortiToken. They enter the code at the prompt.
- FortiOS verifies the FortiToken code. If valid, it allows the user access to network resources.
If the FortiToken has drifted, the following must take place for the FortiToken to resynchronize with FortiOS:
- FortiOS prompts the user to enter a second code to confirm.
- The user gets the next code from the FortiToken. They enter the code at the prompt.
- FortiOS uses both codes to update its clock to match the FortiToken.
If you attempt to add invalid FortiToken serial numbers, there is no error message. FortiOS does not add invalid serial numbers to the list.
Recipes about FortiTokens include the following: