MFA Requirements, Licensing, and Typical Deployment Scenarios

hi,

MFA can be enabled/used without any additional licensing if you configure the 2FA via email. works for both local and ldap users if they are imported

in case that you want to use the official app ( FortiToken Mobile ) and have/use the push notification , you can do that by buying either token licenses and add them to the FortiGate or a more popular approach would be FortiAuthenticator. other option would be the SaaS app, FortiIdentity Cloud

other 3rd party solutions offer MFA, like Entra/DUO/Keycloak etc. there are lots of documents online that describe what can and how it can be done.

Additionally to Funkilicious comment, here are some info that may interest you.

• Most common use cases in FGT env are VPN client access and admin access.
• AD/LDAP is not required but I’d say it is a good practice. Token works very well with local user as well.
• Most common used methods are FortiToken mobile, then mail token (less used).
• I recommend to avoid adding your FortiClient mobile directly to your FortiGate. Getting a FortiAuthenticator is always a good idea in order to use the same user token for authentication on multiple devices (other FGT, other network equipment, mail access, ...etc). Also if you put it directly on FGT then it is locked you will never be able to migrate it to another FGT, FortiToken Cloud or to a FortiAuthenticator.
• I see around me most companies that use Fortinet devices prefer FortiAuthenticator with FortiToken mobile because it is enterprise solution, complete and easy to implement. Very few use opensource RADIUS with free token solution because it is complicated to implement, harder to maintain and usually has no support.

Hi ​@willy007 ,

Each unit comes with a limited number of free FortiToken Mobile licenses (typically two), which allow instant configuration of basic MFA. For environments that need centralized MFA management, user self-enrollment, or extended multi-device support, optional platforms like FortiAuthenticator.

• What are the most common use cases for MFA in FortiGate environments?

 FortiGate MFA is typically deployed in three primary scenarios:

VPN Access (SSL/IPsec): MFA secures VPN logins for remote users, preventing unauthorized access.
Administrative Logins: Adds a secondary layer of authentication for administrators accessing the FortiGate GUI or CLI.
Wireless Networks or Captive Portals: Enforces MFA for wireless and guest access when FortiGate integrates with any Auth server(FAC).

• Is Active Directory integration required, or can MFA be deployed with local users as well?

Active Directory or LDAP integration is optional. FortiGate can apply MFA to local users directly using FortiToken Mobile, hardware tokens, or OTP methods. However, AD, RADIUS, or SAML integration allows for central identity management and single sign-on (SSO), which is beneficial in larger environments.

• What authentication methods are typically used (FortiToken Mobile, email, third-party MFA, etc.)?

FortiGate supports multiple MFA methods:

FortiToken Mobile (push notifications or time-based OTPs)
Hardware FortiTokens (physical OTP generators)
Email or SMS-based OTPs
Third-party MFA via RADIUS or SAML (e.g., Duo, Microsoft Entra ID, Google Workspace)
Certificate-based authentication and FIDO2/biometric logins when FortiAuthenticator is used

• Are there any limitations or best practices to consider when planning an MFA deployment?

Case sensitivity: Disable username case sensitivity for remote authentication to prevent MFA bypass issues.
Also if you want to use MFA without any additional license then you can use email based 2fa and if you want to use fortitoken then additional license needs to be purchased