Description
This article describes the authentication process through FortiCloud-enabled services.
Scope
FortiCloud Accounts.
Solution
Until correct credentials are entered, the login process will always require a username, password and two-factor credentials regardless of whether two-factor authentication is configured on an account. This is to avoid exposing a potential weakness to bad actors.
When a username and password are entered correctly for an account where the customer has not configured two-factor authentication, no two-factor authentication challenge is provided.
As a result, an incorrect password attempt will cause a two-factor authentication challenge. This may be confusing at first, but is essential to avoid revealing that the account does not actually require two-factor authentication. This is designed as per the PCI DSS 3.2 standard.
Even though a two-factor prompt is presented, push notifications or token codes via email/SMS will not be sent in the event of an invalid username or password.
The behavior described above enhances security by preventing a bad actor from learning whether the account has two-factor authentication enabled and subsequently attempting multiple password guesses.
This behavior does not change how users perform a successful login. The fact a two-factor authentication challenge is presented does not mean that the user must enable two-factor on the account to be able to log in. The solution is to simply provide the correct username and password.
- If the account does not have two-factor enabled and the correct password is provided, a two-factor challenge will not be prompted.
- If the account has two-factor authentication enabled, a valid password and two-factor authentication code must be provided.
The example below is for a valid username with incorrect credentials of an account that does not have two-factor authentication enabled.
Even though this account does not have two-factor authentication enabled, a challenge prompt is displayed.
For a new attempt with the correct password, select 'Go' to return to the login page.
If the password has been forgotten or is unknown, select 'Forgot Password?'.
If the browser caches the password and it seems to be correct but a security code prompt still appears, check the username and re-type the password. If the system continues to provide a challenge for a security code, reset the password.
It should not be necessary to clear the cache or clear cookies to resolve this. Provide the correct credentials to resolve the challenge.
Note: Two-Factor Authentication (2FA) is always recommended to be enabled to enhance the protection of the account.
