Skip to main content
nehpets
nehpets
New Member
July 21, 2023
Question

Why are FortiToken registration messages not standards compliant?

  • July 21, 2023
  • 1 reply
  • 968 views

I already have a mobile authenticator app that I use for the rest of my OATH-compatible rolling codes.  Why does the QR code received from Fortinet not work with a standard app?

 

I have no desire to install Fortinet's app for a single code.

1 reply

pminarik
Staff
pminarik
Staff
July 21, 2023

"Unique token provisioning service via FortiGuard™ minimizes provisioning overhead and
ensures maximum seed security"
"Patented cross platform token transfer"

ref: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortitoken.pdf

 

I was told ages ago that the activation mechanism is supposedly patented. It is said to increase the security of the seed. The QR code is merely the activation ASCII string which is only the FortiGuard activation server understands. So presumably the user can't leak/share the seed, even if they wanted to.

 

Note that the seeds can be retrieved in a standard manner (which can eventually be used to import it into a generic third-party app), but this is only available with FortiAuthenticator - https://docs.fortinet.com/document/fortiauthenticator/6.5.3/rest-api-solution-guide/829822/local-users-localusers (section "Third-party integration: FTM provisioning")

Terms & ConditionsCookie settingsAccessibility statement