FortiToken devices and mobile apps

A FortiToken device is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit token passcode. FortiToken Mobile is an application for mobile devices that performs the same one-time password function as a FortiToken device.

Each FortiAuthenticator unit or virtual machine (VM) is supplied with two trial FortiToken Mobile tokens. To obtain the free FortiToken Mobile tokens (if they have not been created dynamically on install), select Get FortiToken Mobile trial tokens when adding a token. This may be required if, for example, you are upgrading an unlicensed FortiAuthenticator unit to a licensed one, as the old tokens associated with the unlicensed serial number will not be compatible with the new, licensed serial number. The tokens will still work, but they are not able to be reassigned to a new user. In this case, you must delete the old tokens, and then generate new ones.

If using a token passcode that is time-based, it is imperative that the FortiAuthenticator unit clock is accurate. If possible, configure the system time to be synchronized with an NTP server.

To perform token-based authentication, the user must enter the token passcode. If the user’s username and password are also required, this is called two-factor authentication. The displayed code changes every 60 seconds on a FortiToken device, and can be changed every 30 seconds on FortiToken Mobile.

The FortiToken device has a small hole in one end. This is intended for a lanyard to be inserted so the device can be worn around the neck, or easily stored with other electronic devices. When not in use, the LCD screen is shut down to extend the battery life.

Do not put the FortiToken device on a key ring as the metal ring and other metal objects can damage it. The FortiToken is an electronic device like a cell phone and should be treated with similar care.

See FortiTokens for more information.

FortiAuthenticator and FortiTokens

With FortiOS, FortiToken identifiers must be entered to the FortiGate unit, which then contacts FortiGuard servers to verify the information before activating them.

FortiAuthenticator acts as a repository for all FortiToken devices used on your network. It is a single point of registration and synchronization for easier installation and maintenance.

To register FortiTokens, you must have a valid FortiGuard connection. Otherwise, any FortiTokens you enter will remain in Inactive status. After the FortiTokens are registered, the connection to FortiGuard is no longer essential. If a token authentication fails, check that the system time on the FortiAuthenticator unit is correct and then re-synchronize the FortiToken.

To add FortiTokens manually:

1. Go to Authentication > User Management > FortiTokens and select Create New. The Create New FortiToken window opens.
2. Select the Token Type, either FortiToken 200 or FortiToken Mobile.
3. If FortiToken 200 is selected as the Token Type, enter one or more token serial numbers in the Serial numbers field.

You can also import multiple tokens by selecting Import Multiple, or by selecting Add all FortiTokens from the same Purchase Order then entering a single token's serial number; all tokens associated with that purchase order will then be imported.

4. If FortiToken Mobile is selected as the Token Type, enter the activation codes in the Activation codes field, or select Get FortiToken Mobile free trial tokens to use temporary tokens.
5. Select OK to add the FortiToken or FortiTokens.

To import FortiTokens from a CSV file:

1. From the FortiToken list, select Import. The Import FortiTokens window opens.
2. Do one of the following:
• Select Serial number file to load a CSV file that contains token serial numbers for the tokens. (FortiToken devices have a barcode on them that can help you read serial numbers to create the import file.)
• Select Seed file to load a CSV file that contains the token serial numbers, encrypted seeds, and IV values. (FortiToken devices have a barcode on them that can help you read serial numbers to create the import file.)
3. Select Browse..., find the configuration file, and select Open.
4. Select OK to import the FortiTokens.

To import FortiTokens from a FortiGate unit:

1. Export the FortiGate unit configuration to a file.
2. From the FortiToken list, select Import.
3. Select FortiGate Configuration file.
4. In the Data to import field, select Import FortiToken 200 only, Import FortiToken 200 and only their associated users, or Import all FortiToken 200 and users.
5. Select Browse..., find the configuration file, then select Open.
6. If the file is encrypted, enter the password in the Password field.
7. Select OK to import the FortiTokens.

To export FortiTokens:

1. From the FortiToken list, select Export FTK-200.
2. Save the file to your computer.

Monitoring FortiTokens

To monitor the total number of FortiToken devices registered on the FortiAuthenticator unit, as well as the number of disabled FortiTokens, go to System > Dashboard > Status and view the User Inventory widget (see User Inventory widget).

You can also view the list of FortiTokens, their status, if their clocks are drifting, and which user they are assigned to from the FortiToken list found at Authentication > User Management > FortiTokens, see FortiTokens.

FortiToken device maintenance

Go to Authentication > User Management > FortiTokens, then select the FortiToken on which you need to perform maintenance and select Edit. The following actions can be performed:

• Comments can be added for FortiToken.
• The device can be locked if it has been reported lost or stolen.

A reason for locking the device must be entered, and a temporary SMS token can be provided.

• The device can be unlocked if it is recovered.
• The device can be synchronized.

Synchronize the FortiAuthenticator and the FortiToken device when the device clock has drifted. This ensures that the device provides the token code that the FortiAuthenticator unit expects, as the codes are time-based. Fortinet recommends synchronizing all new FortiTokens.

• The device history can be viewed, showing all commands applied to this FortiToken.

FortiToken drift adjustment

When the FortiAuthenticator unit and FortiTokens have been initialized prior to setting an NTP server, the time difference can be too large to correct with the synchronize function, forcing all tokens to resynchronize. To avoid this, selected tokens can be manually drift shifted.

The following procedure is intended to be used only in special cases where some FortiTokens are severely out-of-sync, for example, when a token is switched from manual configuration to NTP control. Under normal circumstances, this is not required. Only activated FortiTokens can be adjusted.

To perform time drift adjustment on a FortiToken:

1. In a browser, go to https://<FortiAuthenticator IP Address> /admin/fac_auth/fortitokendrift/.
2. Select the FortiToken to adjust, then select Adjust Drift. The Adjust Token Drift window opens.



3. Enter the required Time adjustment in minutes.

Include a minus sign for a negative value, but don’t use a plus sign for a positive value.

4. Select OK to adjust the token drift.

of

Open topic with navigation