Technical Tip: Restore lost access with an MFA bypass in FortiIdentity Cloud
| Description | This article describes how to use the MFA Bypass feature in FortiIdentity Cloud to restore lost access without permanently disabling MFA. When Multi-Factor Authentication (MFA) is enforced for SSL VPN or administrative access on FortiGate, users may occasionally lose access due to lost devices, token issues, or urgent business needs. |
| Scope | FortiGate + FortiIdentity Cloud. |
| Solution | MFA Bypass allows an administrator to temporarily exempt a specific user from MFA challenges. When the bypass is enabled from the FortiIdentity Cloud graphical interface, authentication requests coming from FortiGate are validated without requiring OTP verification. This functionality is particularly useful when a user has lost or replaced their MFA device, when a hardware or software token is not functioning correctly, when immediate remote access is required for business continuity, or when there are temporary licensing or quota constraints affecting MFA validation. In a typical authentication flow, the user initiates a login attempt to FortiGate, for example through SSL VPN. FortiGate forwards the MFA validation request to FortiIdentity Cloud. If MFA bypass is enabled for that specific user, the authentication succeeds without OTP validation. The user can then access the required services while the administrator resolves the underlying MFA issue. To enable the bypass, log in to the FortiIdentity Cloud portal at fic.fortinet.com. Navigate to Settings and then Realm. Select the appropriate realm that contains the affected users. Enable the Bypass option and apply the changes. Once applied, the selected users within that realm will authenticate without being prompted for OTP verification.
Operational considerations: The MFA Bypass feature supports business continuity by reducing downtime for remote or administrative users while avoiding the need to disable MFA globally. Control remains centralized within FortiIdentity Cloud, ensuring that access exceptions are managed in a structured and auditable manner. MFA Bypass should be used strictly as a temporary measure. It should only be granted by authorized administrators and continuously monitored. Once the user regains access to a valid MFA method, the bypass must be revoked to restore full security enforcement. This approach maintains a balance between strong security controls and the operational flexibility required in real-world environments. |
