FortiTokens
FortiTokens are security tokens used as part of a multi-factor authentication (MFA) system on FortiProxy and FortiAuthenticator to apply MFA to FortiProxy user, administrator, and captive portal authentication. A security token is a 6-digit or 8-digit (configurable) one-time password (OTP) for authenticating one's identity electronically as a prerequisite for accessing network resources. FortiToken is available as a mobile or a physical (hard) token. The encryption seeds of the tokens are stored on the cloud and are always encrypted whether in motion or at rest.
Mobile tokens can be purchased as a license, or consumed with points as part of the FortiToken Cloud service. FortiToken Mobile is an OATH compliant, event- and time-based one-time password (OTP) generator application that provides an easy and flexible way to deploy and provision FortiTokens to your end users through mobile devices without the need for a physical token. FortiToken Mobile supports the following platforms:
Platform |
Device and firmware support |
||
---|---|---|---|
iOS |
iPhone, iPad, and iPod Touch with iOS 6.0 and later. |
||
Android |
Phones and tablets with Android Jellybean 4.1 and later. |
||
Windows |
Windows 10 (desktop and mobile), Windows Phone 8.1, and Windows Phone 8.
|
A FortiToken can only be registered to a single FortiProxy or FortiAuthenticator for security purposes. This prevents malicious third parties from making fraudulent requests to hijack your FortiTokens by registering them on another FortiProxy or FortiAuthenticator. If re-registering a FortiToken mobile or hard Token on another FortiProxy is required, you must contact Fortinet Customer Support.
The MFA process commonly involves:
A third factor of authentication is added to the authentication process:
To enable the third factor, refer to the Activating a mobile token section. |
The following illustrates the FortiToken MFA process:
-
The user attempts to access a network resource.
-
FortiProxy matches the traffic to an authentication security policy and prompts the user for the username and password.
-
The user enters the username and password.
-
FortiProxy verifies their credentials. If valid, it prompts the user for the FortiToken code.
-
The user views the current code on their FortiToken and enters the code at the prompt.
-
FortiProxy verifies the FortiToken code. If valid, it allows the user access to network resources.
If the FortiToken has drifted, the following must take place for the FortiToken to resynchronize with FortiProxy:
-
FortiProxy prompts the user to enter a second code to confirm.
-
The user gets the next code from the FortiToken and enters the code at the prompt.
-
FortiProxy uses both codes to update its clock to match the FortiToken.
This section includes the following topics to quickly get started with FortiTokens: