Description
This article describes the FortiToken code prompt even when 2FA is not enabled on user.
Scope
FortiAuthenticator.
Solution
In certain scenarios, Token code is prompted even when 2FA is not enabled on the user.
It can be through admin web UI login via FortiAuthenticator, or through RADIUS authentication.
Under FortiAuthenticator logs, the following message is observed:
Local administrator authentication with no FortiToken failed, but in PCI mode, still expecting FortiToken/challenge response.
Local administrator authentication with no FortiToken failed, but in PCI mode, still expecting FortiToken/challenge response.
The reason for the 2FA prompt is because PCI DSS 3.2 is enabled on the FortiAuthenticator under Authentication -> User Account Policies -> General.
When this option is enabled, the login flows for RADIUS authentication, SAML IdP, guest portals, and GUI login has to be all meet PCI DSS 3.2 standards regarding multi-factor authentication.
- 2FA will be prompted for any users that failed the password authentication, however, it does not provide a meaningful message stating that the authentication failed due to invalid password to the user.
- This is to avoid revealing any clue to the attacker on which part of the information was valid or invalid and to comply with new PCI requirements.
