Description
This article describes the steps to configure Two Factor Authentication on FortiGate with token delivery to a user's email.
Scope
FortiGate.
Solution
There are two steps to complete this configuration:
- Configure the SMTP server.
config system email-server
set reply-to {Sender_email_address} <----- No longer configurable - see Technical Tip: 'set reply-to' missing under the 'config system email-server'.
set server {SMTP_server_FQDN/IP}
set port {SMTP_server_port_number}
set authenticate {enable | disable}
set username {username}
set password {password_string}
set security {none | starttls | smtps}
end
- Create a user(s) with email two-factor enabled.
config user local
edit {username}
set type password
set two-factor email
set email-to {user_email_address}
set passwd {password}
next
end
config system admin
edit "admin"
set type password
set two-factor email
set email-to user_email_address
set password password
next
end
Note:
Email-based two-factor authentication can only be enabled via the CLI.
After enabling two-factor authentication and configuring where to send the 2FA emails via CLI, the Email-based two-factor authentication option will now show up via GUI. Take note that the Email 2FA option will be gone again once the administrator has changed the Two-factor authentication type back to either FortiToken or FortiToken Cloud. Email-based two-factor authentication needs to be configured again via CLI.
The two-factor authentication can also be applied to LDAP users: Technical Tip: Correctly configuring Two-Factor Authentication for LDAP users using SSL VPN.
Verification of Configuration:
Once the newly created user can access certain services (for example, SSL VPN), the user will be prompted for username and password as usual during an access attempt.
If correct credentials are entered by the user, the user will be prompted to enter a token. This token will be delivered to the user’s mailbox. Once the user enters the received token, access will be granted.
Troubleshooting:
Ensure the following configuration parameters are set to allow sufficient response time for email token verification.
config system global
set two-factor-email-expiry 300
set remoteauthtimeout 300
end
Debug commands can and should be combined to see the respective flow of authentication, handing over to the next process, and seeing when a response is sent from the client. As timeouts may occur, adding a timestamp to each debug line will help to identify them:
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug application alertmail -1
diagnose debug application http_authd -1 <-- new command in v7.6.4
diagnose debug enable
Use a sniffer command to identify if there are any issues with the authentication of the client to the email server.
diagnose sniffer packet any 'port xx' 6 0 l <----- Use the port number in place of xx, which is listening in the mail server.
Note: After upgrading to FortiOS v7.6.4, GUI logins using two-factor authentication sometimes fail, while SSH logins work normally. This affects both FortiToken and email OTP, and is due to a known issue ID 1208267 scheduled for resolution in v7.6.5. Expected release for v7.6.5 is November 2025. Firmware update schedules are subject to change without notice.
Related documents:
system email-server (CLI reference FortiOS 6.0)
Technical Tip: Correctly configuring Two-Factor Authentication for LDAP users using SSL VPN
Technical Tip: Add Two-Factor Authentication for FortiGate Administrators using FortiToken
Technical Tip: 'set reply-to' missing under the 'config system email-server'
Technical Tip: Unable to configure 'Default Reply To' via GUI and CLI
Customer Service Tip: Two-Factor Authentication (2FA) resource list
