|
This article is focuses on FortiAuthenticator for centralized token management. FortiAuthenticator can provision (assign) tokens manually and automatically. FortiGate, FortiPAM and FortiProxy can only provision the tokens manually, but each product follows the same technical process, despite the UI differences between the products.
Hardware and mobile tokens both display a one-time-password used as an authentication factor for the product where that token was provisioned. The OTP is calculated with a random and unique cryptographic value, so-called 'seed'. Both the end user device and the authenticating device's OTP calculation must match.
FortiToken Mobile online activation:
The activation process for any Mobile token follows these steps:
- The FortiToken Mobile license activation described in Technical Tip: FortiToken Mobile license activation is a necessary prerequisite. Importing the licenses (EFTM...) will download the individual FortiToken Mobile serial numbers (FTKMOB...) for individual token provisioning to a user. The token state is 'Available'.
- The administrator assigns a FortiToken Mobile to a user. On FortiAuthenticator, this may also be an automated step.
- FortiAuthenticator contacts fortitokenmobile.fortinet.com to generate a seed and an activation code.
The activation code is required for the phone to download the seed from the fortitokenmobile.fortinet.com servers.
- FortiAuthenticator sends the activation code to the end user via email or SMS. It is also possible to have the activation code displayed as a QR code in the user portal, if enabled.
- The provisioned token state in FortiAuthenticator will change from 'Available' to 'Pending'. FortiAuthenticator starts periodically polling the activation server fortitokenmobile.fortinet.com to check if the user has activated the token.
- The end-user enters the activation code (manual or QR scan) in FortiToken Mobile.
- FortiToken Mobile connects to the activation server fortitokenmobile.fortinet.com and downloads the seed with the given activation code.
- fortitokenmobile.fortinet.com deletes the seed and activation code. This prevents other endpoint devices from downloading the seed and generating identical OTPs.
- Complementary to step 3. FortiAuthenticator will mark the token as 'Assigned' if either:
- The activation server returns on the poll that the token has been activated.
- The end user authenticated, using that assigned token.
FortiToken Mobile offline activation:
The FortiToken Mobile activation process can be applied to air-gapped environments where FortiAuthenticator has no internet access. This requires a one-time online license activation for each FortiToken Mobile license. Any tokens associated with the FortiToken Mobile license can then be activated offline with a QR code without requiring internet access on the FortiAuthenticator or the mobile device. See the following documentation for more information:
The Offline Activation feature for mobile tokens is only available for FortiAuthenticator, not FortiGate, FortiPAM, or FortiProxy.
Also note that FortiProxy does not support FortiToken Mobile license import. Only the integrated trial tokens, as well as FortiToken Cloud, are supported. See this document: FortiTokens for more information.
FortiToken Hardware:
The activation process for Hardware tokens is different. The FortiToken Hardware is a physical token (FTK2x0y), and the seed used to calculate the OTP in the display is already present in that token.
User activation for the token is not required, only token import and administrative assignment.
- Import the individual FortiToken Hardware serial number, which will allow the individual FortiToken Hardware serial numbers to be provisioned to a user. The tokens will be put in the state 'Available'.
This step also downloads the seeds for each of the serial numbers from update.fortiguard.net and locks the token to the FortiAuthenticator. Once locked, the token cannot be imported to another FortiAuthenticator. This is to prevent the leak of the seed. If the FortiTokens must be transferred to another FortiAuthenticator in the future, refer to the article Technical Tip: Hard Token error 'token already activated, and seed won't be returned' and contact Fortinet support.
- The administrator assigns a FortiToken Hardware to a user. On FortiAuthenticator, this may also be an automated step. The token state will be changed from 'Available' to 'Assigned'. There is no action 'pending' on the user side.
The FortiToken Hardware import step (Step 1. above) requires the FortiAuthenticator to be online. Alternatively, since the seeds for each token are static (burned into the hardware token), Fortinet can supply seed files for the tokens. This allows offline import for hardware tokens. The offline activation feature for hardware tokens is available for FortiAuthenticator, FortiGate, FortiPAM, and FortiProxy. See the following documentation for more information.
Some FortiToken Hardware SKUs (tokens with serial numbers beginning in FTK211...) do not allow downloading the seed or requesting the seed file. Instead, the seeds are shipped on an included CD together with the hardware tokens. Fortinet does not retain the seed file for these SKUs: if the seed file is lost, the token can no longer be imported. See this article: Technical Tip: Lost seed file for FortiToken Hardware with CD.
|
