Two-factor authentication

Two-factor authentication

The standard logon requires a username and password. This is one factor authentication—your password is one piece of information you need to know to gain access to the system.

Two factor authentication adds the requirement for another piece of information for your logon. Generally the two factors are something you know (password) and something you have (certificate, token, etc.). This makes it harder for a hacker to steal your logon information. For example if you have a FortiToken device, the hacker would need to both use it and know your password to gain entry to your account.

Two-factor authentication is available on both user and admin accounts. But before you enable two-factor authentication on an administrator account, you need to ensure you have a second administrator account configured to guarantee administrator access to the FortiGate unit if you are unable to authenticate on the main admin account for some reason.

Two-factor authentication does not work with explicit proxies. The methods of two-factor authentication include:

  • Certificate
  • Email
  • SMS
  • FortiToken

 

Certificate

You can increase security by requiring both certificate and password authentication for PKI users. Certificates are installed on the user’s computer. Requiring a password also protects against unauthorized use of that computer.

Optionally peer users can enter the code from their FortiToken instead of the certificate.

 

To create a peer user with two-factor authentication – CLI example

config user peer edit peer1

set subject E=peer1@mail.example.com set ca CA_Cert_1

set two-factor enable

set passwd fdktguefheygfe end

For more information on certificates, see Certificates overview on page 523.

 

Email

Two-factor email authentication sends a randomly generated six digit numeric code to the specified email address. Enter that code when prompted at logon. This token code is valid for 60 seconds. If you enter this code after that time,it will not be accepted.

A benefit is that you do not require mobile service to authenticate. However, a potential issue is if your email server does not deliver the email before the 60 second life of the token expires.

The code will be generated and emailed at the time of logon, so you must have email access at that time to be able to receive the code.

 

To configure an email provider – web-based manager:

1. Go to System > Config > Advanced > Email Service.

2. Enter SMTP Server and Default Reply To address.

3. If applicable, enable Authentication and enter the SMTP User and Password to use.

4. Select a Security Mode, options are: None, SMTPS or STARTTLS.

5. Enter the Port number, the default is 25.

6. Select Apply.

 

 

To configure an email provider – CLI:

config system email-server

set server <server_domain-name>

set reply-to <Recipient_email_address>

end

 

To enable email two-factor authentication – web-based manager:

1. To modify an administrator account, go to System > Admin > Administrators. To modify a user account go to

User & Device > User > User Definition.

2. Edit the user account.

3. Enable and enter the user’s Email Address.

4. Select Enable Two-factor Authentication.

5. Select Email based two-factor authentication.

6. Select OK.

 

If Email based two-factor authentication option doesn’t appear after selecting Enable Two-factor Authentication, you need to enable it via the CLI as follows.

To enable email two-factor authentication – CLI:

config user local edit <user_name>

set email-to <user_email>

set two-factor email end

 

SMS

SMS two-factor authentication sends the token code in an SMS text message to the mobile device indicated when this user attempts to logon. This token code is valid for 60 seconds. If you enter this code after that time, it will not be accepted. Enter this code when prompted at logon to be authenticated.

SMS two-factor authentication has the benefit that you do not require email service before logging on. A potential issue is if the mobile service provider does not send the SMS text message before the 60 second life of the token expires.

FortiGuard Messaging Service include 4 SMS Messages at no cost. If you need more, you should acquire a license through support.fortinet.com or via customer service.

If you do not use the FortiGuard Messaging Service, you need to configure an SMS service.

 

To configure an SMS service for your FortiGate unit – web-based manager:

1. Go to System > Config > Advanced.

2. In SMS Service, select Create New.

3. Enter a Name for the SMS service and the service Address (domain name), then select OK.

4. Select Apply.

 

To configure an SMS service – CLI:

config system sms-server edit <provider_name>

set mail-server <server_domain-name>

next end

 

To configure SMS two-factor authentication – web-based manager:

1. To modify an:

  • administrator account, go to System > Admin > Administrators, or
  • user account go to User & Device > User > User Definition.

2. Edit the user account.

3. Select SMS and either:

  • Select FortiGuard Messaging Service

or

  • Select Custom and then choose the SMS Provider to use.

4. Select the Country/Region.

5. Enter the phone number of the mobile device that will receive the SMS text messages.

6. Select Enable Two-factor Authentication.

7. Select SMS based two-factor authentication.

8. Select OK.

 

If SMS based two-factor authentication option doesn’t appear after selecting Enable Two-factor Authentication, you need to enable it via the CLI as follows.

To enable SMS two-factor authentication – CLI:

config user local edit <user_name>

set sms-phone <user_phone> set sms-server fortiguard set two-factor sms

end

If you have problems receiving the token codes via SMS messaging, contact your mobile provider to ensure you are using the correct phone number format to receive text messages and that your current mobile plan allows text messages.

 

FortiToken

FortiToken is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit authentication code. This code is entered with a user’s username and password as two-factor authentication. The code displayed changes every 60 seconds, and when not in use the LCD screen is blanked to extend the battery life.

There is also a mobile phone application, FortiToken Mobile, that performs much the same function. FortiTokens have a small hole in one end. This is intended for a lanyard to be inserted so the device can be worn around the neck, or easily stored with other electronic devices. Do not put the FortiToken on a key ring as the metal ring and other metal objects can damage it. The FortiToken is an electronic device like a cell phone and must be treated with similar care.

Any time information about the FortiToken is transmitted, it is encrypted. When the FortiGate unit receives the code that matches the serial number for a particular FortiToken, it is delivered and stored encrypted. This is in keeping with the Fortinet’s commitment to keeping your network highly secured.

FortiTokens can be added to user accounts that are local, IPsec VPN, SSL VPN, and even Administrators. See Associating FortiTokens with accounts on page 485.

A FortiToken can be associated with only one account on one FortiGate unit.

If a user loses their FortiToken, it can be locked out using the FortiGate so it will not be used to falsely access the network. Later if found, that FortiToken can be unlocked on the FortiGate to allow access once again. See FortiToken maintenance on page 486.

There are three tasks to complete before FortiTokens can be used to authenticate accounts:

1. Adding FortiTokens to the FortiGate

2. Activating a FortiToken on the FortiGate

3. Associating FortiTokens with accounts

 

The FortiToken authentication process

The steps during FortiToken two-factor authentication are as follows.

1. User attempts to access a network resource.

2. FortiGate unit matches the traffic to an authentication security policy, and FortiGate unit prompts the user for username and password.

3. User enters their username and password.

4. FortiGate unit verifies their information, and if valid prompts the user for the FortiToken code.

5. User gets the current code from their FortiToken device.

6. User enters current code at the prompt.

7. FortiGate unit verifies the FortiToken code, and if valid allows access to the network resources such as the Internet.

The following steps are needed only if the time on the FortiToken has drifted and needs to be re-synchronized with the time on the FortiGate unit.

8. If time on FortiToken has drifted, FortiGate unit will prompt user to enter a second code to confirm.

9. User gets the next code from their FortiToken device

10. User enters the second code at the prompt.

11. FortiGate unit uses both codes to update its clock to match the FortiToken and then proceeds as in step “Users and user groups” on page 474.

The FortiToken authentication process is illustrated below:

When configured the FortiGate unit accepts the username and password, authenticates them either locally or remotely, and prompts the user for the FortiToken code. The FortiGate then authenticates the FortiToken code. When FortiToken authentication is enabled, the prompt field for entering the FortiToken code is automatically added to the authentication screens.

Even when an Administrator is logging in through a serial or Telnet connection and their account is linked to a FortiToken, that Administrator will be prompted for the token’s code at each login.

 

If you have attempted to add invalid FortiToken serial numbers, there will be no error message. The serial numbers will simply not be added to the list.

 

Adding FortiTokens to the FortiGate

Before one or more FortiTokens can be used to authenticate logons, they must be added to the FortiGate. The import feature is used to enter many FortiToken serial numbers at one time. The serial number file must be a text file with one FortiToken serial number per line.

One FortiToken can be added to multiple FortiGate units. This is useful for maintaining two-factor authentication for employees over multiple office locations, such as for employees who travel frequently between offices.

To manually add a FortiToken to the FortiGate – web-based manager:

1. Go to User & Device > FortiTokens.

2. Select Create New.

3. In Type, select Hard Token or Mobile Token.

4. Enter one or more FortiToken serial numbers (hard token) or activation codes (mobile token).

5. Select OK.

 

For mobile token, you receive the activation code in the license certificate once you purchase a license. FortiOS include a license for two mobile token at no cost.

This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

6 thoughts on “Two-factor authentication

  1. Luc Paulin

    Hi Mike, I was wondering if you are aware of a workaroun… I have succeeded to add a Fortitoken to an SSL VPN user, but that same user should also have Administrative rights on the Fortigate. If I enable that in the administrators for 2FA, it doesn’t recongnize or allow me to assign the same fortitoken to the user 🙁

    Reply
  2. Jeffeery Birks

    In terms of phishing attack prevention Fido keys seem to currently one of the better solutions. There is a degree of compromise allowing devices to connect via a USB port but there are always some trade offs I guess.

    Reply
  3. David Wendt

    Mike,
    We’ve setup 2FA for admin accounts but don’t receive the email. Running ‘diag debug application alertmail -1’ shows the message and that it was successful but no email is received. We use the default SMTP settings, nothing is getting blocked/caught by Mimecast. Is there something else that needs to be enabled?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.