|
Originally, the two-factor expiry timer was developed for authentication for RADIUS, LDAP, TACACS or for firewall policy authentication and not intended to be used for the local administrator authentication.
In this example, an administrator account was created and setup for two-factor authentication using email:
config system admin
edit "admin-read"
set two-factor email
set email-to "myemail@example.com"
next
end
In the global settings, the two-factor email timer was set to 30 seconds:
config system global
set two-factor-email-expiry 30
end
However, after the two-factor code was sent to the email and after waiting for more than the configured 30 seconds, the administrator login was still successful.
The two-factor expiry timer setting will be fixed in FortiOS 7.6.1 to apply to administrator logins to FortiGate. At the time of writing (November 22, 2024), the fix is also planned for FortiOS 7.2.11, but note that this is subject to change.
|
