FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
Sheikh
Staff
Staff
Article Id 244315
Description This article describes how to enable users to re-provision their FortiToken Mobile or use temporary email or SMS tokens if the previously provisioned mobile device is lost or unavailable.
Scope FortiAuthenticator, Self-Service portal, reprovisioning of Tokens.
Solution

It is possible to re-provision FortiToken to users in the event that an already provisioned mobile device is unavailable, damaged, dysfunctional, or lost. In addition to giving end users more flexibility, this will result in fewer administrative tasks and/or helpdesk tickets.

 

Configuration

 

If the FortiAuthenticator self-service portal is already being used, several options can be enabled to leverage this feature. If there is no self-service portal available, follow the instructions below to create it first:

 

1) Login to FortiAuthenticator and navigate to Authentication -> Portals -> Create New.

 

Sheikh_2-1675094819594.png

 

Set the necessary options under FortiToken Revocation and give portal a name. For the purposes of this article, we are only enabling options related to FortiToken revocation and Token Registration.

2) Under Pre-Login Services, enable the following options:

- Allow users to temporarily use email token authentication if an email was pre-configured.

- Allow users to re-provision their FortiToken Mobile.

 

Under Post-Login Services, enable Allow FortiToken Mobile self-Provisioning.

 

Sheikh_21-1675097893896.png

 

Select OK to save the configurations.

 

Sheikh_4-1675095387783.png

 

3) Next, create policies for this recently created portal. Navigate to Portals -> Policies -> The next. On the top right, ensure Self-Service Portal" is enabled. Select Create New.

 

Sheikh_5-1675095536032.png

 

Write the name of the Portal Policy and select the recently created portal from the drop-down list.

Note the URL path. It will be used to access this portal.

 

Sheikh_8-1675095824555.png

 

For the purpose of demonstration, 'Local Users' of FortiAuthenticator are shown here. In a production environment, there may be multiple 'realms' and multiple groups.


Sheikh_9-1675095884149.png

 

4) Select the required authentication factors and select Save and exit.

 

Sheikh_10-1675096039424.png

 

Note: 

Ensure that there is already an active FortiToken assigned to the user and that an email address is also set under user properties:

 

Sheikh_12-1675096308278.png

 

Scroll down and, under User Information, please ensure that an email address is configured.

 

Sheikh_13-1675096407856.png

 

After completing these steps, end users will use the Portal address to login to the self-service portal. In this case, the following is the URL address under the portal:

 

Sheikh_8-1675095824555.png

 

User login

 

Now, users can log in to the portal with their credentials.

 

Sheikh_14-1675096660138.png

 

 Once the credentials are verified, the user can select 'Lost my token'.

Sheikh_15-1675096745255.png

 

A new window will appear, prompting the user for the options set earlier in the portal. Select Re-provision my FortiToken Mobile and select OK.

 

Sheikh_16-1675096787468.png

A 'FortiToken Mobile has been re-provisioned' will appear. The user will then receive an email for the activation of FortiToken Mobile. This can also be seen in the FortiAuthenticator logs:

 

Sheikh_17-1675096867450.png

 

Sheikh_20-1675097612585.png

 

If the user selects 'Switch to email authentication', an email will be sent to the already configured email address. Now, every time the user makes a login attempt, an email with the Token code will be sent. The user will have to enter that token to login after credentials are verified.

 

Sheikh_19-1675097051367.png

In some cases, the user may have changed their mobile device. They can log in to the self-service portal and provision their new device, eliminating the need to involve an IT administrator or the helpdesk.

 

To do this, upon logging in as a user, select 'Multi-Factor':

 

Sheikh_22-1675098140179.png

Next, select FortiToken -> Mobile. Under the activation delivery method, select Email or Scan QR Code and select OK.

 

Sheikh_23-1675098254717.png

The user can now re-provision FortiToken for their mobile device. They must first download and install FortiToken Mobile on their mobile device to scan the QR Code provided:

 

Sheikh_24-1675098382219.png

 

Once the code is activated, the user can use the FortiToken app to approve logins on all applications where FortiAuthenticator Token-based authentication is configured.

 

For more details, see the FortiAuthenticator Administration guide:

 

https://docs.fortinet.com/document/fortiauthenticator/6.4.6/administration-guide/736069/portals

 

 

 

Contributors