To enable MFA/OTP on FortiMail, it is necessary to have a RADIUS server integrated with FortiMail as an authentication server (in this example, FortiAuthenticator v6.4.6 is used):

1. On FortiAuthenticator, adjust the radius policy for FortiMail to use password and OTP as follows: 
   
   

2. Configure the method that the user will receive the OTP on FortiAuthenticator under the user's settings and allow the radius authentication:
   
   

3. On FortiMail, it is necessary to create a RADIUS Auth profile as follows:

4. To authenticate Webmail users, then the radius auth profile needs to be applied to the inbound recipient policy as follows:

5. Then the token field will appear in the webmail login as follows:

6. For the admin user, the admin needs to be created with the auth type RADIUS so the MFA can work:

In some cases, to allow sufficient time to complete multi-factor authentication, it is necessary to increase the timeout value from 5 seconds (default) to 60 seconds.

From the CLI:

config system global

    set remote-auth-timeout <timeout-factor_int>

end

Note:

The information above applies to FortiMail on-premises. For FortiMail Cloud tenants, multi-factor authentication (MFA) is supported only for webmail users; MFA for admin users is not supported in the new FortiMail Cloud tenants; however, it remains supported for admin access in legacy cloud instances.

• New cloud: <hostname>.fortimailcloud.com
• Legacy cloud: gwxxxxx.fortimail.com