Description

This article describes how to enable 2-Factor Authentication for Admin Users through Method 2: FortiToken

Avaialble 2FA methods:

1. SMS-Token must have a valid credit purchased separately SMS Rate Card and checked using this guide.
2. FortiToken Hard Token or Mobile Token (two free available for each standalone unit or cluster).
3. Email-Token 

Usage Awareness:

1. When enabling 2FA, Admin Users will no longer be able to access the device if the OTP code is not received, FortiToken is lost or Mobile Phone with FortiToken App is reset.
2. Fortinet is unable to access the device under any circumstance or recover lost code regardless of the 2FA method used, a unit HardReset is required to obtain access make sure to backup device config frequently in a safe location.
3. Using an authenticated email account for notification purposes is recommended for Email-Token to guarantee delivery. See Technical Tip: How to configure the alert-mail settings with Microsoft office365
4. FortiGate uses the internet to send emails and provision FortiToken and send Email-Token.
5. Always use individual FortiGate admin accounts for each user with elevated privileges for the possibility to undo configurations regardless of the 2FA method used.
6. Create privileged users accessible through a secure network without a token using 'Restrict logins from trusted hosts' as a fail-safe. 
7. There is a three-day period for an administrator to activate the FortiToken to the administrator account. As insurance, a temporary administrator account with super-admin privileges can be created until successful activation of the FortiToken has been achieved, and access to it has been tested.
8.  Even after getting the token, authentication still fails because of NTP sync, Make sure NTP is in sync, before assigning the Token to the admin.

Scope

FortiGate.

Solution