Description

This article describes how to adjust FortiAuthenticator and FortiGate units for FortiToken OTP drift.

FortiAuthenticator logs (GUI -> Log Access -> Log Access > Logs) may show a message similar to the following:

Message Remote LDAP user authentication with FortiToken failed: token out of sync

Make sure to understand the reason for the synchronization issue. The tokens by default are time-based (TOTP) and valid for a window of 60 seconds. This means also that FortiAuthenticator or FortiGate as well as the FortiToken Mobile and FortiToken Hardware have a calculation that is based on time.

If the system time on the mobile device changes, the current valid OTP changes. If the system time of FortiGate or FortiAuthenticator changes, the currently accepted OTP changes. This is true for all users.

Mobile FortiTokens:

1. TOTP: If a user experiences TOTP drift, it may be the result of incorrect time settings on the mobile device, as the FortiToken Mobile app relies on the time from the underlying device's operating system. Make sure that the mobile device clock is accurate by confirming the network time and correct time-zone.If the device clock is set correctly, the issue could be the result of, for example, the FortiAuthenticator or FortiGate and FortiTokens being initialized prior to setting an NTP server. This will result in a time difference that is too large to correct with the synchronize function. To avoid this, selected FortiTokens can be manually adjusted for clock drift.
2. HOTP: Mobile FortiTokens and Yubikey tokens activated on the FortiAuthenticator can be used as HOTP token providers (event based, instead of time based). While not using time as a factor for OTP generation, they are still susceptible to token drift. If an HOTP device is triggered to show different token codes, and if the FortiGate/FortiAuthenticator did not use these token codes, then the FortiGate/FortiAuthenticator will determine that this token is out of sync.

Hardware FortiTokens:

If a user experiences TOTP drift, it may be an indicator of possible battery weakening on the hardware FortiToken device. With the adjustment of the OTP drift however, the device should still be able to be used as intended.

Scope

FortiAuthenticator, FortiGate, FortiToken.

Solution

The following procedure is intended to be used only in special cases where some FortiTokens are severely out-of-sync.

For example: when a Token is switched from manual configuration to NTP control, under normal circumstances, this is not required.

Only activated FortiTokens can be adjusted.

FortiAuthenticator

1. In a browser, append the URL of the FortiAuthenticator to look like the following:

• For FortiAuthenticator up to 6.0.X: https://<FortiAuthenticator-IP-Address>/admin/fac_auth/fortitokendrift/
• For FortiAuthenticator 6.1.X and higher: https://<FortiAuthenticator-IP-Address>/admin/fortitoken/fortitokendrift/
  
  

2. Select the FortiToken to adjust and select 'Adjust Drift'.
    
   
    

    

3. Enter the required Time adjustment in minutes: Note that time adjustment is made in minutes for TOTP tokens and in events for HOTP tokens.

Include a minus sign (-) for a negative value. (A plus sign (+) is not necessary for positive values.)

On the Drift/Counter column of the Fortitoken/s, when it is a plus (+) value (4), include a minus sign (-4) on the Time adjustment of the Adjust Token Drift popup to reset the counter to zero(0).

However, for negative values (-4), a plus sign (4) is used in the Time adjustment of the Adjust Token Drift popup as well.

Below is an example:

In case of adjustment for HOTP tokens, the Drift/Counter will be adjusted to the sum of the value entered and the previous drift value.

4. Select 'OK' to adjust the Token drift by the specified time: One more way to fix this is to simply synchronize FortiToken codes displayed on the app with the FortiAuthenticator. GUI -> Authentication -> User Management -> Remote Users, select user, Test Token Test Token will ask for the correct code and, it will return a response like 'Token not in sync'.The next code will be requested: provide it. The response should be 'Token in sync'.The user should now be able to authenticate.
   If the token is changed for that specific user, the procedure must be repeated if the same different time settings between the client and FortiAuthenticator are used.
   
   

5. Another method that would make the tokens likely to be accepted is to adjust the window of the currently accepted OTP under GUI -> Authentication -> User Account policies -> Tokens.
   For TOTP (time-based OTP, default) the window can be adjusted with 'TOTP authentication window size'. This measure should only be taken for workarounds since it will increase the likelihood of guessing a correct OTP in the timeline of the currently accepted OTP codes.

FortiGate.
On the FortiGate, use the following diagnostic CLI commands:

diagnose fortitoken

info              <- Show current drift and status for each FortiToken.
tes               <- Test FortiToken with screen setting for drift of internal clock.

diagnose fortitoken info
FORTITOKEN       DRIFT  STATUS
FTKMOB88D218EC72 0      new
FTKMOB88DA72FE54 0      new

diagnose fortitoken test <FortiToken_ID> <token_code1> <next_token_code2>
<drift_screen_size>

To adjust or resynchronize FortiToken for drift, open a CLI connection to the FortiGate and use the following command:

execute fortitoken sync <FortiToken_ID> <token_code1> <next_token_code2>

Related documents:

FortiToken physical device and FortiToken Mobile.

Synchronizing FortiTokens (refers to hardware tokens kept in storage)