Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sdebnath
Staff
Staff

Created on ‎06-27-2025 06:06 AM Edited on ‎07-22-2025 01:30 AM By Moderator

Article Id 398674

Technical Tip: FortiToken 2FA recovery: steps to restore device access

Description This article describes the steps to regain access to a device after losing FortiToken 2FA credentials.
Scope FortiGate
Solution

An administrator may encounter difficulties accessing the FortiGate GUI due to issues with two-factor authentication (2FA). Common scenarios include:

  1. The 2FA token is not being delivered to the registered email address.

  2. The mobile device with the FortiToken application has been lost.

  3. The FortiToken application was migrated to a new device and is no longer functioning correctly.

 

In these circumstances where access to the FortiGate device is lost due to issues with two-factor authentication (2FA), there are several methods available to restore administrative access.

 

  1. Maintainer Account (Legacy Method).
    Accessing the device using the maintainer account is possible on physical FortiGate devices before FortiOS versions 7.2.4 and 7.4.0 GA. This method allows an administrator to log in and update admin settings directly.
    Note    : The maintainer account feature has been removed in later versions. For details, refer to Fortinet’s documentation on     Technical Tip: Removal of maintainer account feature.

  2. Local super_admin account.
    Fortinet recommends creating a backup super admin account, especially when enabling 2FA for the primary admin user. This backup account can be used to regain access if the primary account encounters 2FA or password-related issues.

  3. FortiManager.
    If the device is managed through FortiManager, a CLI script can be pushed to the FortiGate to remove the FortiToken configuration from the affected admin user, allowing access to be restored. To push the admin account from FortiManager, see Technical Tip: Admin account can be pushed from FortiManager to FortiGate.

  4. Premium FortiGate Cloud
    For devices linked to a premium FortiGate Cloud account, remote admin management capabilities may allow for resetting or reconfiguring the admin account without requiring local access. See this article: Technical Tip: Recover access to FortiGate via FortiGate Cloud.

  5. Last resort: format and restore.
    If none of the above solutions are viable, the final option is to format the appliance and restore a backup configuration where the FortiToken settings have been removed. This should only be done with proper planning and caution.

 

Recommendation:
High Availability (HA).
If any site is critical and minimal downtime is a priority, Fortinet strongly recommends implementing a High Availability (HA) setup in production environments before proceeding to the last resort.

 

Disclaimer:

Fortinet TAC does not have any super admin credentials and cannot bypass 2FA or password protection; therefore, it’s the client's responsibility to follow the recommended steps before enabling MFA on a primary admin account.

  • Token Activation Grace Period:

    There is a three-day period for an administrator to activate the FortiToken for the administrator account. As insurance, a temporary administrator account with super-admin privileges can be created until successful activation of the FortiToken has been achieved and access to it has been tested.

  • Individual Admin Accounts:

    Always assign separate administrator accounts to each user with elevated privileges. This allows other admins to reverse configurations or regain access if one account becomes inaccessible, regardless of the 2FA method in use.

  • Backup Access Account:

    Create a privileged admin account that does not use a token but is restricted to access only from trusted internal networks. Use the Restrict logins from trusted hosts (Technical Tip: System administrator best practices for FortiGate and FortiProxy) feature as a fail-safe recovery method.

  • Risk of Lockout:

    If the OTP code is not received, the FortiToken is lost, or the mobile device with the FortiToken app is reset, admin users will be locked out of the device.

  • No Recovery from Fortinet:

    Fortinet cannot access any device or recover lost 2FA codes under any circumstances. In such cases, a hardware reset is required to regain access. To avoid data loss, ensure regular backup of the device configuration and store it securely. See how to automate backups with the given link below:
    Technical tip: how to send an automated backup.

  • Email Token Delivery Tips:

    When using email-based tokens (Email-Token), configure a properly authenticated email account to ensure reliable delivery. See the configuration guide for Office 365.
    Technical Tip: How to configure the alert-mail settings with Microsoft office365

  • Email and Token Communication Requirements:

    FortiGate requires internet access to send token emails, provision FortiTokens, and deliver email tokens. Ensure proper connectivity and DNS settings are in place.

  • NTP Synchronization Required:

    Even after assigning a token, authentication may fail if the system time is not synchronized. Ensure NTP is properly configured and in sync before assigning the token to an administrator account.

 

Related article:
Technical Tip: Recommendations and common scenarios for Administrator access on FortiGate
586
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.