Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Download PDF
Copy Link

Registering and provisioning FortiToken Mobile tokens

To deploy FortiToken Mobile for your end users, you must first register the tokens on your FortiGate or FortiAuthenticator. After registering the tokens, you can assign them to your end users.

Platforms that support FortiToken Mobile:

Platform Device and Firmware support
Android
  • Smartphones and tablets
  • Firmware version Jellybean 4.1+
iOS
  • iPhone, iPad, and iPod Touch
  • Firmware version iOS 6.0+
Windows Phone
  • Windows 10 (desktop and mobile), Windows Phone 8.1, and Windows Phone 8.

Note that FortiToken is a Windows Universal Platform (UWP) application. To download FortiToken for Windows 10 desktop and mobile platforms, see FortiToken Windows on the Microsoft Store.

You will need a certificate to register FortiToken Mobile. There are two options for getting FortiToken Mobile certificates for use on your authentication server: FortiToken Mobile Redemption Certificate, and FortiToken Mobile Free Trial “virtual” certificate.

For each FortiToken Mobile purchase, you will receive a physical redemption certificate. Scratch off the designated area of the redemption certificate to reveal the 20-digit activation code.

Each FortiGate or FortiAuthenticator device also comes with a trial license for two free trial tokens. The device must be registered with FortiCare to retrieve the tokens. The certificate code to use for the free trial FortiToken Mobile tokens is 0000-0000-0000-0000-0000.

The registration process is the same for the Redemption Certificate and the Free Trial Tokens:

  1. The authentication server administrator enters the certificate activation code from the Redemption certificate.
  2. The authentication server sends the activation code to the FortiToken Mobile provisioning server, which validates the request, registers the FortiToken Mobile license, and sends the FortiToken Mobile serial numbers back to the authentication server.

The provisioning process includes the following steps:

  1. A FortiToken Mobile token must be assigned to the user by an authentication server administrator.
  2. The authentication server notifies the provisioning server that the token has been assigned for subsequent activation and receives back an activation code to forward to the end user.
  3. The end user will receive an activation notification via email or SMS, depending on how the authentication server is configured.

After registering the FortiToken Mobile on the mobile device, the end user can activate the token anytime within a configurable provisioning time period and begin generating their six-digit authentication codes.

PUSH Notifications

The release of FortiToken Mobile 4.0 updates the application to support PUSH notifications and Touch ID as an optional choice over using a PIN, allowing an extra layer of security.

PUSH notifications are used to send alerts to the end-user’s device each time a login request is made. The alert contains information about the login attempt, for example the location from which the attempt originated. The user simply taps to approve or deny the request. If approved, a new OTP is automatically generated and sent by FortiToken Mobile to transparently authenticate the end-user in the background. If denied, FortiToken Mobile automatically sends an alert to the System Administrator.

The manual OTP authentication method is still available in case the end-user cannot or does not wish to use PUSH.

note icon When upgrading, users will see a request to allow notifications. This is required for PUSH notifications to work.

Registering FortiToken Mobile

The following steps show how to register FortiToken Mobile on a FortiGate and FortiAuthenticator.

On the FortiGate

  1. Locate the 20-digit code on the redemption certificate.
  2. Go to User & Device > FortiTokens and select Create New.
  3. Select Mobile Token, and enter the 20-digit certificate code in the Activation Code box.
  1. Select OK.

On the FortiAuthenticator

  1. Locate the 20-digit code on the redemption certificate.
  2. Go to Authenticaton > User Management > FortiTokens and select Create New.
  3. Select FortiToken Mobile, and enter the 20-digit certificate code in the Activation codes box.
  1. Select OK.

Provisioning FortiToken Mobile

To ensure messaging functions properly, you must configure the messaging server, configure users to receive messages from the server by email or SMS, and use the FortiToken Mobile token.

The following steps show how to provision FortiToken Mobile for a user on a FortiGate and FortiAuthenticator.

On the FortiGate

  1. Go to System > Advanced.
  2. Configure the server under Email Service as required (note that port 25 is the default port).
  1. Go to User & Device > User Definition.
  2. Edit the user you wish to assign the FortiToken Mobile.
  3. Select Enable Two-factor Authentication and select the FortiToken Mobile from the dropdown menu.
  1. Under Contact Info, enable Email Address or SMS, enter the user's contact information, and select Send Activation Code Email or Send Activation Code SMS.

The user will receive the activation code by the method specified.

  1. Open the FortiToken Mobile application and go to Add account > Enter Manually > Fortinet.
  2. Enter your email address, enter the activation code you received, and tap Add account.

Your token will activate and start generating codes.

Alternatively, use the attached QR code if you chose to have your activation code sent to you by email. Activate the token with the Scan Barcode option instead of Enter Manually.

Activation CLI

The activation code will expire after a configurable time period. To configure the time period for FortiToken Mobile (in hours), use the following CLI command:

config system global

set two-factor-ftm-expiry <1-168>

end

 

 

note icon The CLI command above should be used instead of set activation-expire under config user fortitoken.
note icon The CLI command set activation-code, under config user fortitoken, cannot be used/set by the administrator.

On the FortiAuthenticator

  1. Go to System > Messaging > SMTP Servers and select Create New.
  1. Configure the server as required:
Name Enter a name to identify this mail server on the FortiAuthenticator unit.
Server name/IP Enter the IP address or Fully Qualified Domain Name (FQDN) of the mail server.
Port The default port is 25. Change it if your SMTP server uses a different port.
Sender email address Enter the email address that will appear when sending an email from the FortiAuthenticator unit.
Secure connection For a secure connection to the mail server, select STARTTLS from the drop-down list. Note that the necessary CA certificate must be imported for STARTTLS to work.
Enable authentication Select if the email server requires you to authenticate when sending an email. Enter the Account username and Password if required.
  1. Go to System > Administration > FortiGuard.
  2. Under FortiToken Mobile Provisioning, ensure that the Activation timeout period is set. This is the time period in hours (1 to 168) in which the end user must activate the token before having to re-provision the token.
  1. Go to Authentication > User Management > Local Users and select Create New.
  2. In the Password creation dropdown menu, select No password, FortiToken authentication only, and select OK.
    Note: Only after you select OK can you specify a token and enter contact information for the user.
  3. Once created, the user account will become disabled. You must associate a FortiToken and re-enable it.
    Deselect the Disabled radio, and select Token-based authentication. Choose to deliver the token by FortiToken and select an available FortiToken Mobile token from the dropdown menu.
  1. Under User Information, enter the user's Email address. You may also enter their Mobile number.
  1. Select OK.

Registering and provisioning FortiToken Mobile tokens

To deploy FortiToken Mobile for your end users, you must first register the tokens on your FortiGate or FortiAuthenticator. After registering the tokens, you can assign them to your end users.

Platforms that support FortiToken Mobile:

Platform Device and Firmware support
Android
  • Smartphones and tablets
  • Firmware version Jellybean 4.1+
iOS
  • iPhone, iPad, and iPod Touch
  • Firmware version iOS 6.0+
Windows Phone
  • Windows 10 (desktop and mobile), Windows Phone 8.1, and Windows Phone 8.

Note that FortiToken is a Windows Universal Platform (UWP) application. To download FortiToken for Windows 10 desktop and mobile platforms, see FortiToken Windows on the Microsoft Store.

You will need a certificate to register FortiToken Mobile. There are two options for getting FortiToken Mobile certificates for use on your authentication server: FortiToken Mobile Redemption Certificate, and FortiToken Mobile Free Trial “virtual” certificate.

For each FortiToken Mobile purchase, you will receive a physical redemption certificate. Scratch off the designated area of the redemption certificate to reveal the 20-digit activation code.

Each FortiGate or FortiAuthenticator device also comes with a trial license for two free trial tokens. The device must be registered with FortiCare to retrieve the tokens. The certificate code to use for the free trial FortiToken Mobile tokens is 0000-0000-0000-0000-0000.

The registration process is the same for the Redemption Certificate and the Free Trial Tokens:

  1. The authentication server administrator enters the certificate activation code from the Redemption certificate.
  2. The authentication server sends the activation code to the FortiToken Mobile provisioning server, which validates the request, registers the FortiToken Mobile license, and sends the FortiToken Mobile serial numbers back to the authentication server.

The provisioning process includes the following steps:

  1. A FortiToken Mobile token must be assigned to the user by an authentication server administrator.
  2. The authentication server notifies the provisioning server that the token has been assigned for subsequent activation and receives back an activation code to forward to the end user.
  3. The end user will receive an activation notification via email or SMS, depending on how the authentication server is configured.

After registering the FortiToken Mobile on the mobile device, the end user can activate the token anytime within a configurable provisioning time period and begin generating their six-digit authentication codes.

PUSH Notifications

The release of FortiToken Mobile 4.0 updates the application to support PUSH notifications and Touch ID as an optional choice over using a PIN, allowing an extra layer of security.

PUSH notifications are used to send alerts to the end-user’s device each time a login request is made. The alert contains information about the login attempt, for example the location from which the attempt originated. The user simply taps to approve or deny the request. If approved, a new OTP is automatically generated and sent by FortiToken Mobile to transparently authenticate the end-user in the background. If denied, FortiToken Mobile automatically sends an alert to the System Administrator.

The manual OTP authentication method is still available in case the end-user cannot or does not wish to use PUSH.

note icon When upgrading, users will see a request to allow notifications. This is required for PUSH notifications to work.

Registering FortiToken Mobile

The following steps show how to register FortiToken Mobile on a FortiGate and FortiAuthenticator.

On the FortiGate

  1. Locate the 20-digit code on the redemption certificate.
  2. Go to User & Device > FortiTokens and select Create New.
  3. Select Mobile Token, and enter the 20-digit certificate code in the Activation Code box.
  1. Select OK.

On the FortiAuthenticator

  1. Locate the 20-digit code on the redemption certificate.
  2. Go to Authenticaton > User Management > FortiTokens and select Create New.
  3. Select FortiToken Mobile, and enter the 20-digit certificate code in the Activation codes box.
  1. Select OK.

Provisioning FortiToken Mobile

To ensure messaging functions properly, you must configure the messaging server, configure users to receive messages from the server by email or SMS, and use the FortiToken Mobile token.

The following steps show how to provision FortiToken Mobile for a user on a FortiGate and FortiAuthenticator.

On the FortiGate

  1. Go to System > Advanced.
  2. Configure the server under Email Service as required (note that port 25 is the default port).
  1. Go to User & Device > User Definition.
  2. Edit the user you wish to assign the FortiToken Mobile.
  3. Select Enable Two-factor Authentication and select the FortiToken Mobile from the dropdown menu.
  1. Under Contact Info, enable Email Address or SMS, enter the user's contact information, and select Send Activation Code Email or Send Activation Code SMS.

The user will receive the activation code by the method specified.

  1. Open the FortiToken Mobile application and go to Add account > Enter Manually > Fortinet.
  2. Enter your email address, enter the activation code you received, and tap Add account.

Your token will activate and start generating codes.

Alternatively, use the attached QR code if you chose to have your activation code sent to you by email. Activate the token with the Scan Barcode option instead of Enter Manually.

Activation CLI

The activation code will expire after a configurable time period. To configure the time period for FortiToken Mobile (in hours), use the following CLI command:

config system global

set two-factor-ftm-expiry <1-168>

end

 

 

note icon The CLI command above should be used instead of set activation-expire under config user fortitoken.
note icon The CLI command set activation-code, under config user fortitoken, cannot be used/set by the administrator.

On the FortiAuthenticator

  1. Go to System > Messaging > SMTP Servers and select Create New.
  1. Configure the server as required:
Name Enter a name to identify this mail server on the FortiAuthenticator unit.
Server name/IP Enter the IP address or Fully Qualified Domain Name (FQDN) of the mail server.
Port The default port is 25. Change it if your SMTP server uses a different port.
Sender email address Enter the email address that will appear when sending an email from the FortiAuthenticator unit.
Secure connection For a secure connection to the mail server, select STARTTLS from the drop-down list. Note that the necessary CA certificate must be imported for STARTTLS to work.
Enable authentication Select if the email server requires you to authenticate when sending an email. Enter the Account username and Password if required.
  1. Go to System > Administration > FortiGuard.
  2. Under FortiToken Mobile Provisioning, ensure that the Activation timeout period is set. This is the time period in hours (1 to 168) in which the end user must activate the token before having to re-provision the token.
  1. Go to Authentication > User Management > Local Users and select Create New.
  2. In the Password creation dropdown menu, select No password, FortiToken authentication only, and select OK.
    Note: Only after you select OK can you specify a token and enter contact information for the user.
  3. Once created, the user account will become disabled. You must associate a FortiToken and re-enable it.
    Deselect the Disabled radio, and select Token-based authentication. Choose to deliver the token by FortiToken and select an available FortiToken Mobile token from the dropdown menu.
  1. Under User Information, enter the user's Email address. You may also enter their Mobile number.
  1. Select OK.