Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.2.11 Administration Guide
    7.2.11
    7.6.1
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    FortiTokens

    FortiTokens

    FortiTokens are security tokens used as part of a multi-factor authentication (MFA) system on FortiProxy and FortiAuthenticator to apply MFA to FortiProxy user, administrator, and captive portal authentication. A security token is a 6-digit or 8-digit (configurable) one-time password (OTP) for authenticating one's identity electronically as a prerequisite for accessing network resources. FortiToken is available as a mobile or a physical (hard) token. The encryption seeds of the tokens are stored on the cloud and are always encrypted whether in motion or at rest.

    Mobile tokens can be purchased as a license, or consumed with points as part of the FortiToken Cloud service. FortiToken Mobile is an OATH compliant, event- and time-based one-time password (OTP) generator application that provides an easy and flexible way to deploy and provision FortiTokens to your end users through mobile devices without the need for a physical token. FortiToken Mobile supports the following platforms:

    Platform

    Device and firmware support

    iOS

    iPhone, iPad, and iPod Touch with iOS 6.0 and later.

    Android

    Phones and tablets with Android Jellybean 4.1 and later.

    Windows

    Windows 10 (desktop and mobile), Windows Phone 8.1, and Windows Phone 8.

    Note

    FortiToken is a Windows Universal Platform (UWP) application. To download FortiToken for Windows 10 desktop and mobile platforms, see FortiToken for Windows on the Microsoft Store.

    A FortiToken can only be registered to a single FortiProxy or FortiAuthenticator for security purposes. This prevents malicious third parties from making fraudulent requests to hijack your FortiTokens by registering them on another FortiProxy or FortiAuthenticator. If re-registering a FortiToken mobile or hard Token on another FortiProxy is required, you must contact Fortinet Customer Support.

    The MFA process commonly involves:

    • Something you know: User password

    • Something you have: The FortiToken OTP

    A third factor of authentication is added to the authentication process:

    • Something you are: Your fingerprint or face

    To enable the third factor, refer to the Activating a mobile token section.
    The following illustrates the FortiToken MFA process:

    1. The user attempts to access a network resource.

    2. FortiProxy matches the traffic to an authentication security policy and prompts the user for the username and password.

    3. The user enters the username and password.

    4. FortiProxy verifies their credentials. If valid, it prompts the user for the FortiToken code.

    5. The user views the current code on their FortiToken and enters the code at the prompt.

    6. FortiProxy verifies the FortiToken code. If valid, it allows the user access to network resources.

    If the FortiToken has drifted, the following must take place for the FortiToken to resynchronize with FortiProxy:

    1. FortiProxy prompts the user to enter a second code to confirm.

    2. The user gets the next code from the FortiToken and enters the code at the prompt.

    3. FortiProxy uses both codes to update its clock to match the FortiToken.

    This section includes the following topics to quickly get started with FortiTokens:

    Previous
    Next

    FortiTokens

    FortiTokens

    FortiTokens are security tokens used as part of a multi-factor authentication (MFA) system on FortiProxy and FortiAuthenticator to apply MFA to FortiProxy user, administrator, and captive portal authentication. A security token is a 6-digit or 8-digit (configurable) one-time password (OTP) for authenticating one's identity electronically as a prerequisite for accessing network resources. FortiToken is available as a mobile or a physical (hard) token. The encryption seeds of the tokens are stored on the cloud and are always encrypted whether in motion or at rest.

    Mobile tokens can be purchased as a license, or consumed with points as part of the FortiToken Cloud service. FortiToken Mobile is an OATH compliant, event- and time-based one-time password (OTP) generator application that provides an easy and flexible way to deploy and provision FortiTokens to your end users through mobile devices without the need for a physical token. FortiToken Mobile supports the following platforms:

    Platform

    Device and firmware support

    iOS

    iPhone, iPad, and iPod Touch with iOS 6.0 and later.

    Android

    Phones and tablets with Android Jellybean 4.1 and later.

    Windows

    Windows 10 (desktop and mobile), Windows Phone 8.1, and Windows Phone 8.

    Note

    FortiToken is a Windows Universal Platform (UWP) application. To download FortiToken for Windows 10 desktop and mobile platforms, see FortiToken for Windows on the Microsoft Store.

    A FortiToken can only be registered to a single FortiProxy or FortiAuthenticator for security purposes. This prevents malicious third parties from making fraudulent requests to hijack your FortiTokens by registering them on another FortiProxy or FortiAuthenticator. If re-registering a FortiToken mobile or hard Token on another FortiProxy is required, you must contact Fortinet Customer Support.

    The MFA process commonly involves:

    • Something you know: User password

    • Something you have: The FortiToken OTP

    A third factor of authentication is added to the authentication process:

    • Something you are: Your fingerprint or face

    To enable the third factor, refer to the Activating a mobile token section.
    The following illustrates the FortiToken MFA process:

    1. The user attempts to access a network resource.

    2. FortiProxy matches the traffic to an authentication security policy and prompts the user for the username and password.

    3. The user enters the username and password.

    4. FortiProxy verifies their credentials. If valid, it prompts the user for the FortiToken code.

    5. The user views the current code on their FortiToken and enters the code at the prompt.

    6. FortiProxy verifies the FortiToken code. If valid, it allows the user access to network resources.

    If the FortiToken has drifted, the following must take place for the FortiToken to resynchronize with FortiProxy:

    1. FortiProxy prompts the user to enter a second code to confirm.

    2. The user gets the next code from the FortiToken and enters the code at the prompt.

    3. FortiProxy uses both codes to update its clock to match the FortiToken.

    This section includes the following topics to quickly get started with FortiTokens:

    Previous
    Next