Two-factor authentication
The standard logon requires a username and password. This is one factor authentication—your password is one piece of information you need to know to gain access to the system.
Two factor authentication adds the requirement for another piece of information for your logon. Generally the two factors are something you know (password) and something you have (certificate, token, etc.). This makes it harder for a hacker to steal your logon information. For example if you have a FortiToken device, the hacker would need to both use it and know your password to gain entry to your account.
Two-factor authentication is available on both user and admin accounts. But before you enable two-factor authentication on an administrator account, you need to ensure you have a second administrator account configured to guarantee administrator access to the FortiGate unit if you are unable to authenticate on the main admin account for some reason.
The methods of two-factor authentication include:
- Certificate l Email
- SMS
- FortiToken
Certificate
You can increase security by requiring both certificate and password authentication for PKI users. Certificates are installed on the user’s computer. Requiring a password also protects against unauthorized use of that computer.
Optionally peer users can enter the code from their FortiToken instead of the certificate.
To create a peer user with two-factor authentication – CLI example
config user peer edit peer1 set subject E=peer1@mail.example.com
set ca CA_Cert_1 set two-factor enable set passwd fdktguefheygfe
end
For more information on certificates, see Certificates overview on page 108.
Two-factor email authentication sends a randomly generated six digit numeric code to the specified email address. Enter that code when prompted at logon. This token code is valid for 60 seconds. If you enter this code after that time,it will not be accepted.
A benefit is that you do not require mobile service to authenticate. However, a potential issue is if your email server does not deliver the email before the 60 second life of the token expires.
The code will be generated and emailed at the time of logon, so you must have email access at that time to be able to receive the code.
To configure an email provider – web-based manager:
- Go to System > Advanced and enable Use Custom Eamil Server under Email Service.
- Enter SMTP Server and Default Reply To
- If applicable, enable Authentication and enter the SMTP User and Password to use.
- Select a Security Mode, options are: None, SMTPS or STARTTLS.
- Enter the Port number, the default is 25.
- Select Apply.
To configure an email provider – CLI:
config system email-server set server <server_domain-name> set reply-to <Recipient_email_address>
end
To enable email two-factor authentication – web-based manager:
- To modify an administrator account, go to System > Administrators. To modify a user account go to User & Device > User Definition.
- Edit the user account.
- Enable and enter the user’s Email Address.
- Select Enable Two-factor Authentication.
- Select Email based two-factor authentication.
- Select OK.
If Email based two-factor authentication option doesn’t appear after selecting Enable Two-factor Authentication, you need to enable it via the CLI as follows.
To enable email two-factor authentication – CLI:
config user local edit <user_name> set email-to <user_email> set two-factor email end
SMS
SMS two-factor authentication sends the token code in an SMS text message to the mobile device indicated when this user attempts to logon. This token code is valid for 60 seconds. If you enter this code after that time, it will not be accepted. Enter this code when prompted at logon to be authenticated.
SMS two-factor authentication has the benefit that you do not require email service before logging on. A potential issue is if the mobile service provider does not send the SMS text message before the 60 second life of the token expires.
FortiGuard Messaging Service include four SMS Messages at no cost. If you need more, you should acquire a license through support.fortinet.com or via customer service.
If you do not use the FortiGuard Messaging Service, you need to configure an SMS service.
To configure an SMS service – CLI:
config system sms-server edit <provider_name> set mail-server <server_domain-name>
next
end
To configure SMS two-factor authentication – web-based manager:
- To modify an:
l administrator account, go to System > Administrators, or l user account go to User & Device > User Definition.
- Edit the user account.
- Select SMS and enter the Country Dial Code and Phone Number.
- Select Enable Two-factor Authentication. and select the correct Token.
- Select OK.
If you have problems receiving the token codes via SMS messaging, contact your mobile provider to ensure you are using the correct phone number format to receive text messages and that your current mobile plan allows text messages.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Hi Mike, One question: if I have LDAP Users and a remote Radius Group which will check first given an username and password? I’m not able to see If the order is defined somewhere
Thank you