Two-factor authentication with FortiToken Mobile

In this recipe, two-factor authentication is added to a user account to provide extra security to the authentication process.

Two-factor authentication requires a user to provide further means of authentication in addition to their credentials. In this recipe, FortiToken Mobile app for Android will be used to generate a token, also known as a one-time password (OTP), to use in the authentication process.

1. Activating your FortiTokens

Ensure that your FortiGate is connected to the Internet. Go to User & Device > FortiTokens. Your FortiGate may have two FortiToken Mobile entries listed by default. If so, you may use these tokens and go to step 2. 
To add new FortiTokens, select Create New. Set Type to Mobile Token and enter your Activation Code.
After FortiGuard validates the code, your FortiTokens will appear on the list, with Status set to Available.

2. Creating a user account with two-factor authentication

Go to User & Device > User > User Definition and create a new local user.
In order to use the FortiToken Mobile, you must enter a mobile number in the third step, Provide Contact Info. Select the appropriate Country/Region and enter the Phone Number without dashes or spaces. Do not add an email address.
In the fourth step of the User Creation Wizard, Provide Extra Info, enable Two-Factor Authentication and select an available token.
The user list shows the FortiToken in the Two-factor Authentication column for the new user account.
Go to User & Device > FortiTokens. The FortiToken assigned to the user is now listed as Pending, until the user activates the FortiToken.

3. Sending the activation code to the user

If your FortiGate can send SMS messages, go to User & Device > User > User Definition and edit the new user account. Select Send Activation Code and send the code by SMS.
If your FortiGate cannot send SMS messages, go to System > Dashboard > Status and enter the following into the CLI Console, substituting the correct serial number: config user fortitoken
  edit <serial number>
The activation code will be shown in the output. This code must be given to the user.

4. Adding user authentication to your Internet access policy

Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet. Set Source User(s) to the new user account.

5. Setting up FortiToken Mobile on an Android device

Using your Android device, download and install FortiToken Mobile
Open the app and add a new account. Select Enter Manually. Enter the activation code into FortiToken Mobile.
FortiToken Mobile can now generate a token for use with the FortiGate.
(Optional) For additional security, set a PIN for FortiToken Mobile using the app’s Settings options. 

6. Results

Attempt to browse the Internet. An authentication page will appear, requesting a Username and Password.
After the correct username and password are entered, a FortiToken code will be requested. Enter the code currently shown in the FortiToken Mobile app. Once the token is authenticated, you can connect to the Internet.

For further reading, check out FortiToken in the FortiOS 5.2 Handbook.

An error stating that the serial number is invalid will appear if you mistyped the code or if it duplicates one you have already entered.
If the FortiToken has already been registered to another FortiGate, the Status will be Error.