Fortinet black logo

Comprehensive Guide

Home FortiToken Comprehensive Guide

Considerations

Considerations

The following information clarifies a few factors regarding different FortiToken deployments.

FortiToken encryption

FortiToken uses OATH algorithms, in compliance with algorithms for both HOTP and TOTP (see RFCs 4226 and 6238).

In addition, AES 256 CBC is used to encrypt the seeds for storage (see below for more information on FortiToken seed files). The encryption key for the seed is a device-unique ID that is generated each time the seed needs to be accessed so that, if the seed is copied to another device, it will not decrypt and yield invalid OTPs.

The seeds are passed to the mobile device using TLS (HTTPS) and encrypted within the TLS tunnel using the key derived from the device ID. In this way, the seed is effectively double-encrypted.

FortiToken authentication with no internet

The following consideration is applicable to FortiOS 5.0 and later.

FortiTokens (excluding FortiToken-200CD) store their encryption seed files in the FortiGate or FortiAuthenticator they are assigned to. Their FortiTokens will continue to generate token codes. Therefore, FortiGate and FortiAuthenticator units can validate token codes and provide two-factor authentication even if they have lost access to the internet.

Note that FortiToken Mobile needs access to FortiGuard for all management changes (such as token assignment to users). Once assigned, these tokens will work even if the FortiGate or FortiAuthenticator has no internet access. However, FortiToken-200 user assignment without internet access is possible.

FortiToken seed files

A FortiToken Mobile token can only be registered to a single FortiGate or FortiAuthenticator unit at a time. However, physical FortiToken-200 tokens can be registered on multiple FortiGates or FortiAuthenticators. To register physical tokens on multiple FortiGate or FortiAuthenticator units, visit the Fortinet Support website. Token activation locks need to be reset on FortiGuard before being activated on a different unit.

FortiToken-200CD seed files are stored on the CD. These tokens are designed to be used in "walled-garden" scenarios, with no internet access. Because of this, these tokens can be used on multiple devices.

High availability clustering with FortiToken

When setting up a high availability (HA) cluster with multiple FortiGate or FortiAuthenticator units, you must register and apply any FortiToken Mobile licenses to the primary unit. This can be done either before or after configuring the unit for HA operation. After HA is configured, all tokens are replicated across cluster members. Because of this, you only need one FortiToken Mobile license per HA cluster.

To learn more about HA clustering, see the FortiOS High Availability guide.

Native iOS VPN client with FortiToken authentication

Unlike other VPN instances that typically require a username, password, and the OTP provided by FortiToken, the native iOS VPN client requires the OTP to be combined with the user's password. For example, if the user's password was fortinet, and the OTP was 123456, the combined password for authentication would be fortinet123456.

Previous
Next

Considerations

The following information clarifies a few factors regarding different FortiToken deployments.

FortiToken encryption

FortiToken uses OATH algorithms, in compliance with algorithms for both HOTP and TOTP (see RFCs 4226 and 6238).

In addition, AES 256 CBC is used to encrypt the seeds for storage (see below for more information on FortiToken seed files). The encryption key for the seed is a device-unique ID that is generated each time the seed needs to be accessed so that, if the seed is copied to another device, it will not decrypt and yield invalid OTPs.

The seeds are passed to the mobile device using TLS (HTTPS) and encrypted within the TLS tunnel using the key derived from the device ID. In this way, the seed is effectively double-encrypted.

FortiToken authentication with no internet

The following consideration is applicable to FortiOS 5.0 and later.

FortiTokens (excluding FortiToken-200CD) store their encryption seed files in the FortiGate or FortiAuthenticator they are assigned to. Their FortiTokens will continue to generate token codes. Therefore, FortiGate and FortiAuthenticator units can validate token codes and provide two-factor authentication even if they have lost access to the internet.

Note that FortiToken Mobile needs access to FortiGuard for all management changes (such as token assignment to users). Once assigned, these tokens will work even if the FortiGate or FortiAuthenticator has no internet access. However, FortiToken-200 user assignment without internet access is possible.

FortiToken seed files

A FortiToken Mobile token can only be registered to a single FortiGate or FortiAuthenticator unit at a time. However, physical FortiToken-200 tokens can be registered on multiple FortiGates or FortiAuthenticators. To register physical tokens on multiple FortiGate or FortiAuthenticator units, visit the Fortinet Support website. Token activation locks need to be reset on FortiGuard before being activated on a different unit.

FortiToken-200CD seed files are stored on the CD. These tokens are designed to be used in "walled-garden" scenarios, with no internet access. Because of this, these tokens can be used on multiple devices.

High availability clustering with FortiToken

When setting up a high availability (HA) cluster with multiple FortiGate or FortiAuthenticator units, you must register and apply any FortiToken Mobile licenses to the primary unit. This can be done either before or after configuring the unit for HA operation. After HA is configured, all tokens are replicated across cluster members. Because of this, you only need one FortiToken Mobile license per HA cluster.

To learn more about HA clustering, see the FortiOS High Availability guide.

Native iOS VPN client with FortiToken authentication

Unlike other VPN instances that typically require a username, password, and the OTP provided by FortiToken, the native iOS VPN client requires the OTP to be combined with the user's password. For example, if the user's password was fortinet, and the OTP was 123456, the combined password for authentication would be fortinet123456.

Previous
Next