Skip to main content
rukmanhady
rukmanhady
New Member
October 3, 2025
Question

Recommendation Request: FortiToken Type for Multi-User Laptop Environment

  • October 3, 2025
  • 2 replies
  • 710 views

I plan to implement FortiToken as a Multi-Factor Authentication (MFA) solution to be used on company laptops.

However, the current situation is quite unique. The available laptops are limited in number and are shared by multiple users who take turns using them at project sites or during business trips. As a result, these laptops are not dedicated to a specific user.

If FortiToken were to be assigned to all users, the implementation would be less effective, since not every user is always working on-site or traveling for business.

Therefore, it is necessary to choose a type of FortiToken that can be used flexibly and shared among users, ensuring security needs are met without limiting user mobility.

 

Which type of FortiToken would you recommend that can be used flexibly and shared among users in this scenario?

Thank you.

2 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
October 3, 2025

Your situation isn't unique. Some of our customers are using shared laptops, which itself is not so secure. That's why they use FortiToken Mobile to identify each individual's smartphone, not to allow internal network access if somebody doesn't have it even when the laptop went to a wrong hand. 

In other words, It's a trade off between the cost and level of security. If you get the same number of hard tokens to be used with each laptop, if someone, who shouldn't have access to your network, got a hand on the set (latop+hard token), which likely those users are passing around as a set, that person have access if he/she has successfully stolen anybody's credential in your org.

 

Toshi

    rukmanhady
    rukmanhadyAuthor
    New Member
    October 3, 2025

    Thank you for your explanation. We fully understand the trade-off between cost and security that you mentioned.

    In our case, since the laptops are shared and not dedicated to specific users, implementing FortiToken Mobile for each individual may not be efficient from a cost perspective, as not all users are regularly working on-site or traveling.

    That’s why we are considering an option that allows flexibility — a type of FortiToken that can be used in a shared environment without being tied to each individual’s personal smartphone, while still maintaining a reasonable level of security.

    Could you please advise if there is a recommended approach or FortiToken type that better suits this shared-user scenario?

    Thank you.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    October 3, 2025

    What I'm saying is if the token doesn't identify each individual's "what each has", there would be no added security with the token whatever it is. Therefore, I have nothing to offer.
    Forget about FortiToken, but use other type of 2FA like email or SMS, etc.

    Toshi

      Yurisk
      SuperUser
      Yurisk
      SuperUser
      October 3, 2025

      If to go "some kind of MFA is better than none" path, then FortiToken is not well suited for your situation - users cannot share the same token unless they share the smartphone where this FTM app is installed. Which inevitably will cause troubles - forgot to handle the phone with the laptop, some user changed the phone's pin/pass, as everyone's phone is noone's phone - no pressure to lose/break/destroy in creative ways. 

       

      So, I'd suggest what @Toshi_Esumi already mentioned - SMS or email as MFA, this way every user will register his username on FGT with his OWN phone/email address (gmail will do too) and no sharing of Token OTP codes/physical phone is needed. The other, more technically involved, but in a "put a checkmark and be done with MFA requirement" way is to use personal/machine VPN certificate - this requires password to use the certificate but the certificate stays with the laptop, physically. Again, in the case of laptop being shared it is not truly an MFA - just to formally "have MFA" w/o actually having MFA, bad practice, but sharing laptop is already bad enough.

       

        rukmanhady
        rukmanhadyAuthor
        New Member
        October 6, 2025

        Thank you very much for your detailed explanation and suggestions.
        I really appreciate your insight regarding the possible options for implementing MFA in our shared laptop environment.

        Just to clarify, the reason we use shared laptops is that they are only intended for business trips or site visits. In daily operations, each user already works on their own desktop PC.

        Just to confirm — for the SMS or email-based MFA method, is it also applicable for dedicated devices (for example, a company-owned laptop assigned to a single user)?

        Thank you once again for your valuable input and guidance.

        Debbie_FTNT
        Staff & Editor
        Debbie_FTNT
        Staff & Editor
        October 7, 2025

        Hey rukmanhady,

        it really depends on where you want to implement the MFA check.

        Do you want to enforce MFA for Windows login? 

        -> in that case, you will need a FortiAuthenticator, and link every user to their own FortiToken (hardware or mobile app) or set up email/sms 2FA for each user

        -> when any user in the domain logs into the laptop, their own credentials and own token would be validated

        --> at least I assume every user would use their own credentials for these laptops, not a shared account?

         

        Do you want to enforce MFA for a VPN connection?

        -> same as above, MFA would be linked to the individual user

        -> no matter which user provides the credentials for MFA, they would have to provide their own token code

        --> token code could be delivered via HW or mobile FortiToken, or via SMS/Email

         

        In general, MFA is an account-specific component of authentication (the whole point is that each account has their own MFA).

        It is possible to configure shared resources (like a laptop with FortiAuthenticator Windows Agent) so that each user can log in with their own credentials AND own MFA. 

         

        "If FortiToken were to be assigned to all users, the implementation would be less effective, since not every user is always working on-site or traveling for business."

        -> I don't quite understand what you mean with this?

         

        If you are looking to implement something like - each user logs in with their own credentials, but also the laptop requires that a device-specific code is entered/certificate is present/whatever, then FortiToken or email/sms is probably not the right choice, and looking into some kind of device/endpoint protection would probably serve you better.

         

        Cheers,

        Debbie

          Terms & ConditionsAccessibility statement