Solved! Go to Solution.
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
ORIGINAL: dred Fortinet offers FortiToken Mobile (FTM) as its mobile OTP app. FTM is more secure than Google Authenticator in the way the OTP seeds (shared secrets) are provisioned to the app. GA simply accepts base32 encoded seed values, which make the tokens on GA vulnerable. FTM uses dynamic seed creation and transmits the seeds in AES encrypted format to the app, where the seeds are encrypted and bound to the device. FTM version 2 for iOS and Android (BB10 is coming) supports third party tokens (Google, Dropbox, Amazon, etc.), all for free. So why not use FTM instead of GA?
Anyone has been able to set up google authenticator instead of fortitoken?
Man this a old thread pulled way from the past. As far as Google being less secured it's a highly recognized solution and widely accepted.
I have used 3rd party MFA solutions with FTNT
http://socpuppet.blogspot.com/2017/04/securing-fortigate-sslvpn-with-mfa-by.html
PCNSE
NSE
StrongSwan
Just a quick note regarding Duo. I presently use Duo for 2FA on my SSL VPN. The plan I am on ($10/mo for each group of 10 users) is no longer offered and will be discontinued this year. To continue with Duo will be around $3/mo per user. Compared to the one-time price of a FortiToken, it's a no-brainer. To duplicate the push authentication of Duo you need to employ a FortiAuthenticator (lists at approx $3200, plus $800/year maintenance). I can't find a better deal than the Fortinet solution.
Duo is far more than just a second factor though. For the relatively low cost, it also lets me do a large variety of other things, like not allowing a mobile device with out of date OS be used as the second factor, restrict, or require additional auth, if the request is from a certain country or non-whitelisted country, set restrictions for a given person on a per-app basis instead of them having to have one TOTP solution for Fortigate VPN, one for application X, a third for application Y, etc., log accesses in an easy to use manner, finally, it has a method for secure self re-enrollment should their primary device be rendered unusable. If a Fortitoken app device gets lost, guess what, they're calling IT who then will likely have to walk through a cumbersome set of steps to truly auth that user and get them a new Fortitoken code, or if the device is stolen, now you have to find a firewall admin to deal with locking the old token out, there's no good audit trail, etc. It's just a huge pain for an entity of reasonable size; Fortitoken, and FortiAuth for that matter, are not scalable or cost effective solutions; they're just a headache.
Besides all that though, I'm simply annoyed that Fortinet is choosing to monetize TOTP at the expense of offering much more comprehensive security solutions; their FortiToken is nothing more than TOTP that they're not letting you have the key for. I'd prefer to pay more for my hardware, or my support contract, and not deal with petty nickel-and- diming.
If you could dump the seed, then you can get it to work in other applications.
Here is a ruby script for example.
```
totp = ROTP::TOTP.new(seed, interval: 60) print totp.now ```
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.