Version:


Table of Contents

Admin Guide

Download PDF
Copy Link

Adaptive authentication

Note

The adaptive authentication feature is fully supported on FOS 7.0.2.

Multi-factor authentication provides more security than password-only login, but it comes at the cost of inconvenience for end-users.  The adaptive authentication feature uses the available information regarding a login attempt (for example, time of day, geo-location, and so on) to evaluate the circumstantial risk of a given login attempt.  The second authentication factor is required only when that risk is higher than a predetermined threshold.  Furthermore, you might choose to block an authentication attempt entirely if the circumstantial risk is deemed high enough.

FortiToken Cloud (FTC) allows end-users to bypass OTP verification of MFA under certain “safer” conditions and denies such attempts under certain otherwise “riskier” conditions. Upon receiving a request to bypass the OTP verification for MFA authentication, the FTC server assesses the situation and decides whether to deny the attempt to bypass the pre-configured OTP verification of MFA based on the following conditions:

  • Trusted subnet/geo-location

  • Time of day/day of week

Token bypass is allowed if the end-user meets one of the following conditions:

  • End-user IP address is from a trusted subnet

  • End-user IP address is from a trusted geo-location

  • Time is within the expected schedule

Token bypass is denied if the end-user meets one of the following conditions:

  • End-user IP address is NOT from a trusted subnet

  • End-user IP address is NOT from a trusted geo-location

  • Time is outside of the expected schedule

This section covers the following topics:

Adaptive authentication

Note

The adaptive authentication feature is fully supported on FOS 7.0.2.

Multi-factor authentication provides more security than password-only login, but it comes at the cost of inconvenience for end-users.  The adaptive authentication feature uses the available information regarding a login attempt (for example, time of day, geo-location, and so on) to evaluate the circumstantial risk of a given login attempt.  The second authentication factor is required only when that risk is higher than a predetermined threshold.  Furthermore, you might choose to block an authentication attempt entirely if the circumstantial risk is deemed high enough.

FortiToken Cloud (FTC) allows end-users to bypass OTP verification of MFA under certain “safer” conditions and denies such attempts under certain otherwise “riskier” conditions. Upon receiving a request to bypass the OTP verification for MFA authentication, the FTC server assesses the situation and decides whether to deny the attempt to bypass the pre-configured OTP verification of MFA based on the following conditions:

  • Trusted subnet/geo-location

  • Time of day/day of week

Token bypass is allowed if the end-user meets one of the following conditions:

  • End-user IP address is from a trusted subnet

  • End-user IP address is from a trusted geo-location

  • Time is within the expected schedule

Token bypass is denied if the end-user meets one of the following conditions:

  • End-user IP address is NOT from a trusted subnet

  • End-user IP address is NOT from a trusted geo-location

  • Time is outside of the expected schedule

This section covers the following topics: