Two-factor authentication with FortiToken Mobile

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, two-factor authentication is added to a user account to provide extra security to the authentication process.

Two-factor authentication requires a user to provide further means of authentication in addition to their credentials. In this recipe, FortiToken Mobile app for Android will be used to generate a token, also known as a one-time password (OTP), to use in the authentication process.

1. Activating your FortiTokens

Ensure that your FortiGate is connected to the Internet. Go to User & Device > FortiTokens. Your FortiGate may have two FortiToken Mobile entries listed by default. If so, you may use these tokens and go to step 2. 
To add new FortiTokens, select Create New. Set Type to Mobile Token and enter your Activation Code.
After FortiGuard validates the code, your FortiTokens will appear on the list, with Status set to Available.

2. Creating a user account with two-factor authentication

Go to User & Device > User > User Definition and create a new local user.
 
In order to use the FortiToken Mobile, you must enter a mobile number in the third step, Provide Contact Info. Select the appropriate Country/Region and enter the Phone Number without dashes or spaces. Do not add an email address.
In the fourth step of the User Creation Wizard, Provide Extra Info, enable Two-Factor Authentication and select an available token.
The user list shows the FortiToken in the Two-factor Authentication column for the new user account.
Go to User & Device > FortiTokens. The FortiToken assigned to the user is now listed as Pending, until the user activates the FortiToken.

3. Sending the activation code to the user

If your FortiGate can send SMS messages, go to User & Device > User > User Definition and edit the new user account. Select Send Activation Code and send the code by SMS.
If your FortiGate cannot send SMS messages, go to System > Dashboard > Status and enter the following into the CLI Console, substituting the correct serial number: config user fortitoken
  edit <serial number>
  show
The activation code will be shown in the output. This code must be given to the user.

4. Adding user authentication to your Internet access policy

Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet. Set Source User(s) to the new user account.

5. Setting up FortiToken Mobile on an Android device

Using your Android device, download and install FortiToken Mobile
Open the app and add a new account. Select Enter Manually. Enter the activation code into FortiToken Mobile.
FortiToken Mobile can now generate a token for use with the FortiGate.
(Optional) For additional security, set a PIN for FortiToken Mobile using the app’s Settings options. 

6. Results

Attempt to browse the Internet. An authentication page will appear, requesting a Username and Password.
After the correct username and password are entered, a FortiToken code will be requested. Enter the code currently shown in the FortiToken Mobile app. Once the token is authenticated, you can connect to the Internet.

For further reading, check out FortiToken in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
An error stating that the serial number is invalid will appear if you mistyped the code or if it duplicates one you have already entered.
If the FortiToken has already been registered to another FortiGate, the Status will be Error.
  • Hi,
    Any documentation that explain how if we polling users to AD server and autoassign the FTM?
    So we are not import the users to FAC.

  • Abdulaziz Alatar

    Hello,
    Activation code in MobileToken is serial number fortigate ?

    • Adam Bristow

      Hello Abdulaziz,

      The activation code for FortiToken Mobile tokens is not the FortiGate’s serial number.

      This recipe uses a free trial FortiToken Mobile token that came with the FortiGate. These free tokens are activated using the string of 0’s shown above. All other purchased token licenses come with their own unique activation codes.

      To learn more about this and FortiToken, see the FortiToken Comprehensive Guide:
      http://docs.fortinet.com/d/fortitoken-comprehensive-guide

      Best regards,

      Adam

      • Abdulaziz Alatar

        Thank you very much

  • bdickie

    Note, if your FortiToken Mobile users get a new phone you can move their FortiToken mobile account to the new phone by disabling two-factor authentication for the user and then re-enabling it again and sending the user a new activation code which they can use to activate FortiToken mobile on their new phone.