Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Download PDF
Copy Link

Considerations

The following information clarifies a few factors regarding different FortiToken deployments.

FortiToken encryption

FortiToken uses OATH algorithms, in compliance with algorithms for both HOTP and TOTP (see RFCs 4226 and 6238).

In addition, AES 256 CBC is used to encrypt the seeds for storage (see below for more information on FortiToken seed files). The encryption key for the seed is a device-unique ID that is generated each time the seed needs to be accessed so that, if the seed is somehow copied to another device, it will not decrypt and yield invalid OTPs.

The seeds are passed to the mobile device using TLS (HTTPS) and encrypted within the TLS tunnel using the key derived from the device ID. In this way, the seed is effectively double encrypted.

FortiToken authentication with no Internet

The following consideration is applicable to FortiOS 5.0+.

FortiTokens (excluding FortiToken-200CD) store their encryption seed files in the FortiGate or FortiAuthenticator unit they are assigned to. Their FortiTokens will continue to generate token codes. Therefore, FortiGate/FortiAuthenticator units can validate token codes and provide two-factor authentication even if they have lost access to the Internet.

Note that FortiToken Mobile needs access to FortiGuard for all management changes (such as token assignment to users). Once assigned, these tokens will work even if the FortiGate/FortiAuthenticator has no Internet access. However, FortiToken-200 user assignment without Internet access is possible.

FortiToken seed files

FortiToken Mobile can only be registered to a single FortiGate or FortiAuthenticator unit at a time. However, physical FortiToken-200 tokens can be registered on multiple FortiGates and/or FortiAuthenticators. To register physical tokens on multiple FortiGate or FortiAuthenticator units, visit the Fortinet Support website. Token activation locks need to be reset on FortiGuard before being activated on a different unit.

FortiToken-200CD seed files are stored on the CD. These tokens are designed to be used in "walled-garden" scenarios, with no Internet access. Because of this, these tokens can be used on multiple devices.

HA clustering with FortiToken

In the case of setting up a High Availability (HA) cluster with multiple FortiGate/FortiAuthenticator units, you must register and apply any FortiToken Mobile licenses to the primary unit. This can be done either before configuring the unit for HA operation, or after. After HA is configured, all tokens are replicated across cluster members. Because of this, you only need one FortiToken Mobile license per HA cluster. This is applicable for both FortiGate and FortiAuthenticator units.

To learn more about HA clustering, see the FortiOS High Availability guide.

Native iOS VPN client with FortiToken authentication

Unlike other VPN instances that typically require a username, password, and the OTP provided by FortiToken, the native iOS VPN client requires the OTP to be combined with the user's password. For example, if the user's password was "fortinet", and the OTP was "123456", the combined password for authentication would be "fortinet123456".

Considerations

The following information clarifies a few factors regarding different FortiToken deployments.

FortiToken encryption

FortiToken uses OATH algorithms, in compliance with algorithms for both HOTP and TOTP (see RFCs 4226 and 6238).

In addition, AES 256 CBC is used to encrypt the seeds for storage (see below for more information on FortiToken seed files). The encryption key for the seed is a device-unique ID that is generated each time the seed needs to be accessed so that, if the seed is somehow copied to another device, it will not decrypt and yield invalid OTPs.

The seeds are passed to the mobile device using TLS (HTTPS) and encrypted within the TLS tunnel using the key derived from the device ID. In this way, the seed is effectively double encrypted.

FortiToken authentication with no Internet

The following consideration is applicable to FortiOS 5.0+.

FortiTokens (excluding FortiToken-200CD) store their encryption seed files in the FortiGate or FortiAuthenticator unit they are assigned to. Their FortiTokens will continue to generate token codes. Therefore, FortiGate/FortiAuthenticator units can validate token codes and provide two-factor authentication even if they have lost access to the Internet.

Note that FortiToken Mobile needs access to FortiGuard for all management changes (such as token assignment to users). Once assigned, these tokens will work even if the FortiGate/FortiAuthenticator has no Internet access. However, FortiToken-200 user assignment without Internet access is possible.

FortiToken seed files

FortiToken Mobile can only be registered to a single FortiGate or FortiAuthenticator unit at a time. However, physical FortiToken-200 tokens can be registered on multiple FortiGates and/or FortiAuthenticators. To register physical tokens on multiple FortiGate or FortiAuthenticator units, visit the Fortinet Support website. Token activation locks need to be reset on FortiGuard before being activated on a different unit.

FortiToken-200CD seed files are stored on the CD. These tokens are designed to be used in "walled-garden" scenarios, with no Internet access. Because of this, these tokens can be used on multiple devices.

HA clustering with FortiToken

In the case of setting up a High Availability (HA) cluster with multiple FortiGate/FortiAuthenticator units, you must register and apply any FortiToken Mobile licenses to the primary unit. This can be done either before configuring the unit for HA operation, or after. After HA is configured, all tokens are replicated across cluster members. Because of this, you only need one FortiToken Mobile license per HA cluster. This is applicable for both FortiGate and FortiAuthenticator units.

To learn more about HA clustering, see the FortiOS High Availability guide.

Native iOS VPN client with FortiToken authentication

Unlike other VPN instances that typically require a username, password, and the OTP provided by FortiToken, the native iOS VPN client requires the OTP to be combined with the user's password. For example, if the user's password was "fortinet", and the OTP was "123456", the combined password for authentication would be "fortinet123456".