FortiTokens are security tokens used as part of a multi-factor authentication (MFA) system on FortiGate and FortiAuthenticator. A security token is a 6-digit or 8-digit (configurable) one-time password (OTP) that is used to authenticate one's identity electronically as a prerequisite for accessing network resources. FortiToken is available as either a mobile or a physical (hard) token. Mobile tokens can be purchased as a license, or consumed with points as part of the FortiToken Cloud service.
FortiToken Mobile and physical FortiTokens store their encryption seeds on the cloud. FortiToken Mobile seeds are generated dynamically when the token is provisioned. They are always encrypted whether in motion or at rest.
You can only register FortiTokens to a single FortiGate or FortiAuthenticator for security purposes. This prevents malicious third parties from making fraudulent requests to hijack your FortiTokens by registering them on another FortiGate or FortiAuthenticator. If re-registering a FortiToken Mobile or Hard Token on another FortiGate is required, you must contact Fortinet Customer Support.
Common usage for FortiTokens includes:
- Applying MFA to a VPN dialup user connecting to the corporate network
- Applying MFA to FortiGate administrators
- Applying MFA to firewall authentication and captive portal authentication
The MFA process commonly involves:
A third factor of authentication is added to the authentication process:
To enable the third factor, refer to the Activating FortiToken Mobile on a Mobile Phone section.
The following illustrates the FortiToken MFA process:
- The user attempts to access a network resource.
- FortiOS matches the traffic to an authentication security policy and prompts the user for their username and password.
- The user enters their username and password.
- FortiOS verifies their credentials. If valid, it prompts the user for the FortiToken code.
- The user views the current code on their FortiToken. They enter the code at the prompt.
- FortiOS verifies the FortiToken code. If valid, it allows the user access to network resources.
If the FortiToken has drifted, the following must take place for the FortiToken to resynchronize with FortiOS:
- FortiOS prompts the user to enter a second code to confirm.
- The user gets the next code from the FortiToken. They enter the code at the prompt.
- FortiOS uses both codes to update its clock to match the FortiToken.
This section includes the following topics to quickly get started with FortiTokens: