Skip to main content
TZ1
TZ1
New Member
February 17, 2026
Solved

Login at Fortigate when token doesn't work

  • February 17, 2026
  • 2 replies
  • 353 views

Hallo,

 

last week I updated the Fortigate to the new firmware. We use Fortinet and 2FA with Tokens.

 

After the update no VPN-Token worked anymore. Noone could start a VPN anymore. I had to create new Tokens for everyone.

 

Then it came into my mind, what if the Tokens for the Admin-Logons would not work anymore either.

 

Would we be screwed or is there a possibility to logon without 2FA?

Best answer by mzainuddinahm

Hello TZ1,

 

In that scenario you can consider the below 2 workarounds: 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remove-MultiFactor-Authentication-on-FortiGate/ta-p/298658

 

2. If FortiManager manages the FortiGate, remove the FortiToken assigned to the super admin from FortiManager, allowing access to the FortiGate without a token request.
On the FortiManager:
Go to Policy & Objects -> User Definition edit the user and uncheck/disable the FortiToken.

 
 

2 replies

AEK
SuperUser
AEK
SuperUser
February 17, 2026

Hi TZ

 

Is it mail OTP or FortiToken OTP?

What do you mean by doesn't work anymore? Do you mean it doesn't ask for token? Or the mail OTP is not received? Or some other wrong behavior?

From which version to which version did you upgrade?

 

On the other hand I think the OTP may not be requested when you login from serial console, but I'm not sure about that, so you need to check.

So in case it is not requested then you can connect from serial console and change the behavior to regain access to the FGT WebUI.

 

Otherwise the safest thing to do is to configure one administrator account without OTP, so you can login to the WebUI in case of similar issue.

 

If this is not available and you are stuck then the solution is to edit the latest backup file (remove the token for admin) then restore the config.

AEK
TZ1
TZ1Author
New Member
February 17, 2026

The Tokens were asked, but the login did not accept them. So, I created new tokens for every user. They had to change them in their FortiToken-App and then it worked again.

 

The Admin-Tokens worked, but it came into my mind, what if those tokens would be damaged either. Using a backup-Admin-Account with a real safe password, might be an idea.

mzainuddinahm
Staff & Editor
mzainuddinahmAnswer
Staff & Editor
February 17, 2026

Hello TZ1,

 

In that scenario you can consider the below 2 workarounds: 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remove-MultiFactor-Authentication-on-FortiGate/ta-p/298658

 

2. If FortiManager manages the FortiGate, remove the FortiToken assigned to the super admin from FortiManager, allowing access to the FortiGate without a token request.
On the FortiManager:
Go to Policy & Objects -> User Definition edit the user and uncheck/disable the FortiToken.

 
 
Terms & ConditionsAccessibility statement