Emergency Login and Token Recovery Options in FortiAuthenticator

Hello lozivi, 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

Hello,

We are still looking for an answer to your question.

We will come back to you ASAP.

Hello again lozivi,

I found this answer, can you tell us if it helps, please?

To address emergency login and token recovery in FortiAuthenticator, you can utilize several features designed to assist users who may have lost or forgotten their tokens. Here's a breakdown of the available options:

Emergency Login Options

1. Emergency Codes:

   • Enable Emergency Codes: You can enable emergency codes in FortiAuthenticator, which allows users to log in using a pre-generated emergency code if they do not have access to their FortiToken, SMS, or email.
   • Configuration: Navigate to the settings where you can enable emergency codes and configure the validity period for these codes, which can range from 1 to 30 days (default is 7 days).

2. Temporary Tokens:

   • Email/SMS Tokens: If a user is configured for 2FA and loses access to their FortiToken, they can receive a temporary OTP via email or SMS. This requires pre-configuration of email or SMS as a backup delivery method.
   • Token Timeout: You can set the expiration time for these temporary tokens, ranging from 10 to 3600 seconds (default is 60 seconds).
     
     

Token Recovery Options

1. Self-Service Portal:
   • Re-Provisioning Tokens: If a user's mobile device is lost or unavailable, they can re-provision their FortiToken Mobile through the FortiAuthenticator self-service portal. This reduces administrative overhead and allows users to manage their tokens independently.
   • Configuration Steps:
     • Create a Self-Service Portal: Navigate to Authentication -> Portals and create a new portal. Enable options for FortiToken revocation and registration.
     • Pre-Login Services: Allow users to temporarily use email token authentication and re-provision their FortiToken Mobile.
     • Post-Login Services: Enable FortiToken Mobile self-provisioning.

Follow-Ups and Clarification Questions

• Have you enabled emergency codes in your FortiAuthenticator configuration? This is crucial for allowing emergency logins.
• Is the self-service portal configured and accessible to users? This portal is essential for token re-provisioning.
• Are email and SMS configured as backup delivery methods for OTPs? This ensures users can receive temporary tokens if needed.
• What is the current configuration for token timeout and emergency code validity? Adjusting these settings can improve user experience during emergencies.

These options should help you manage emergency logins and token recovery effectively in FortiAuthenticator. If you need further assistance with configuration, please let me know!

I would actually add to Jean-Philippes response: Temporary tokens sound like what you want:

https://docs.fortinet.com/document/fortitokencloud/latest/admin-guide/487320/using-a-temporary-token

Thanks Markus!! :)