Customer Service
Customer Service Information and Announcements
blynch
Staff
Staff
Article Id 312824
Description

This article contains the list of resources related to Two-Factor Authentication on Fortinet accounts.

Scope All Fortinet customers.
Solution

Fortinet highly recommends enabling Two Factor Authentication (2FA) to ensure the security of customers’ accounts. FortiToken is the recommended 2FA method to give accounts the best security.

Enabling Two-Factor Authentication.

 

Take the following steps to set up 2FA:

  1. Download the FortiToken application on Google Play or the Apple Store.
  2. Take the following steps to enable 2FA:
    1. Open https://support.fortinet.com and log in.
    2. Select Account at the top-right of the portal and select Security Credentials.
    3. Select Two Factor Authentication in the navigation pane to open the Two Factor Authentication page.
    4. Select Edit and Enable Two 2FA Factor Authentication.
    5. Select the 2FA option of FortiToken.
    6. Verify the account password and select Submit.
    7. Select Test Token Now to verify 2FA has been enabled.
    8. Enter the security code and select Submit.
      Note: A dialog opens if the test is successful.
    9. Log in using the proper credentials and use FortiToken to verify the account.

This applies to master, sub user, IAM user, and any Organizational Unit user.

 

Two-Factor Authentication FAQ.

 

Q: Why is Fortinet enforcing 2FA on FortiCloud account?

A: Fortinet is committed to ensuring the highest level of security for customers. Due to the ever-evolving threats, the priority is to ensure accounts have the highest level of security. By adding 2FA, users can prevent access from bad actors from gaining access to Fortinet accounts.

               

Q: Is that possible to continue to use a shared account to access support.fortinet.com?

A: Fortinet does not recommend sharing accounts. A shared account is not a secured account. It is recommended to use IAM users to share access to the account.  IAM users allow access to the FortiCloud account without sharing passwords, providing robust permission management and access control. Review the following document to configure IAM: Identity & Access Management (IAM).

 

For those who wish to use a shared account with Email OTP, all users will need to have access to the mailbox.

 

Please be advised:  This creates a single point of access for a bad actor. This is not recommended.

               

Q: Why is it currently not possible to configure Email 2FA?

A: At this time, email can only be configured under IAM users. As of June 7th, email as a 2FA option will be available for all users.

 

Q: Are other third-party 2FA available?

A: Currently, the only supported 2FA are FortiToken and Email OTP, but future updates may offer additional methods of 2FA.

 

Q: When will 2FA be enforced?

A: 2FA will roll out in stages to reduce the impact to customers all at once.  Email notifications and weekly reminders will be sent, beginning 30 days before 2FA enforcement. Enforcement will start with the first batch on June 7th 2024.

 

Q: What happens if 2FA is not set before the deadline?

A: Email 2FA will be automatically enabled, requiring access to the mailbox to receive the token when when logging in.

 

Q: Can 2FA be disabled for an account?

A: Security is Fortinet’s business and securing customers, including people, devices, and data, is Fortinet's mission. Threat actors are constantly trying to get ahead of Fortinet and have been seen to actively collect credentials from clients using methods such as keystroke loggers. Once these threat actors have credentials, they have access to services responsible for securing the client's network – access stopped only by a second factor authentication step. Fortinet’s mission is to stay ahead of that and 2FA is critical to stay ahead of this form of attack. As such, 2FA will be enforced universally.

 

Q: What happens if 2FA is already set?

A: No actions are necessary, as the account is already secure.

 

Q: Will 2FA be enforced on new accounts?

A: As of June 7th, all new FortiCloud accounts will require 2FA.  By default it will be configured for the email address used to create the account.

 

Two-Factor Authentication Articles and Documents.

 

Title Description
Logging in with 2FA for the first time

Users are required to validate and set up 2FA for the IAM user the first time they log in to https://support.fortinet.com

Enabling Two-Factor Authentication Users can enable Two-Factor Authentication (2FA) at the user level or the account level. 
Customer Service Tip: Answers to common Two-Factor Authentication (2FA) queries This article contains solutions for issues frequently faced by customers with 2FA.
Customer Service Tip: How to change the master account ID (email address) used for product registrat...
This article describes how to change the email address associated with the master Account ID used for registration of products.
Customer Service Tip: Two-Factor Authentication (2FA) improvement and enforcement in the FortiCloud ... This article describes important information worth noting about two-factor authentication in the FortiCloud Portal.
Not receiving SMS for 2FA from FortiGuard
This article describes the case when not receiving SMS for 2FA while using FortiGuard as an SMS server.
Email Two-Factor Authentication on FortiGate This article describes the steps to configure Two Factor Authentication on FortiGate with token delivery to the user’s email.