Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jay_Libove
Contributor

Google Authenticator instead of FortiToken?

Since FortiToken is OAUTH compliant, can we not use Google Authenticator instead? Anyone been able to work that out? thanks,
2 Solutions
Jay_Libove
Contributor

One more thing that comes to mind, FortiNet itself doesn' t need to be involved in a 2-factor authentication solution at all. The FortiGate appliance is the seed and authentication server. A FortiToken or Google Authenticator or any other OAUTH compliance soft token is the end-user device. The communication goes over the same Internet connection which the user and the FortiGate must have in order for the whole idea to be useful anway. So for FortiGate to put itself in the middle, and offer an expensive service, and not include the 2-factor server in FortiOS for those customers who are happy to run it themselves, seems to me to just be a way to try to squeeze more money out of the customers, without providing additional value. (It also makes FortiNet' s servers a potential point of failure).

View solution in original post

dred_FTNT
Staff
Staff

we' ll just have to agree to disagree. but i' ll try one more time to answer your concerns: first of all the, the organization for authentication interoperability standards is OATH, not OAUTH. OAuth is an open standard for authorization, something completely different. second, what other firewall/VPN vendor offers free tokens for 2FA? Not Cisco, not Checkpoint, not Juniper, not anyone. Fortinet is the only vendor that offers two free tokens with their devices. If you don' t want Fortinet tokens fro use with your FortiGate, then use someone else' s, like Vasco, Safenet or RSA. But you will still have to pay those vendors. As for pricing analysis, that is highly proprietary and is not something to share in a public forum. And there is always a difference between " List" and " street" price. And there are tons of pricing gimmicks and games, such as server costs and annual subscription fees. So an apples-to-apples comparison is not trivial. A quick Google search reveals this link to a cost comparison from Yubico, who claims the YubiKey has the lowest total fees and annual total cost per credential. http://www.yubico.com/products/comparison/cost/ Their annual soft token cost is $38 PER YEAR. As for security, the token in 2FA is the second factor, the " something you have" factor. If that factor is able to be copied, it is no longer meeting the definition of 2FA and is not secure in that sense. Tokens installed on GA are easily copied. I can load the same token on multiple instances of GA thereby breaking the second factor rule. Further, GA tokens can be easily stolen through shoulder surfing. The same is not true for FortiToken Mobile because of the way FTM tokens are generated, transmitted and provisioned. They seeds are never visible and they can only be activated one time. Fortinet does not charge extra for security. Fortinet is a security company and bakes security into every product. It is part of the Fortinet DNA.
David Redberg Fortinet Product Manager

View solution in original post

20 REPLIES 20
dred_FTNT
Staff
Staff

Jay, Fortinet, like any other vendor of Two Factor Authentication (2FA) systems, including RSA, Vasco, Safenet, etc., charges for tokens (hard and soft). In fact, Fortinet is the most economical choice in terms of total cost of ownership, especially in the case of using the FortiGate as the authentication server (since the function is built in and there is no additional license for a separate piece of hardware or software). If you purchased another vendor' s 2FA product for your network whether it be to add strong authentication to a Fortinet, Checkpoint, Cisco or whosoever VPN/Firewall, you would pay for tokens and the authentication server, as well as ongoing support. Also, please note that Fortinet provides TWO FREE FTM TOKENS with every FortiGate (or FortoGate HA cluster) on FortiGate FOS 5.0 and up. So what I' m saying is that if you want to add a One Time Password solution to your FortiFGate, and you are using FTM v2, you can use the same app for your Third Party tokens as well. And you can have two free Fortinet FTM tokens per FortiGate. As for security not having to be perfect, I agree. There is always the tradeoff between security and usability. But Google is not a security company. Fortinet is. Protecting the OTP seed is of the utmost importance to many customers. Therefore Fortinet provides a more secure mobile token app that is as easy to use as GA, if not easier. -D
David Redberg Fortinet Product Manager
Jay_Libove
Contributor

It' s lovely that FortiNet provides a more secure (than I need nor want to pay for) token option for those clients who need/want/are willing to pay for it. What I' m complaining about is that FortiNet does NOT allow us to use the economical, really quite secure (certainly enough for us) options which LinkedIn, eBay, PayPal, Facebook, and dozens of others include even in their free services - e.g. Google Authenticator. And even for those for whom the extra security is justified (although, see later discussion/challenge below) I can' t believe that €80/token in small quantities [5], or €62/token in moderate quantities [100] is so economical as you say. It took some work, but I finally found a document (two years old, so the prices if anything should be cheaper now) showing an actual price model for the Verisign VIP hosted token service, for the UK government. At the size of a 100-user deployment, the setup fee is £32/user (£3205 total setup), plus an annual token fee of £9,62/token. In other words, acquisition cost including first year support £42 followed by £9,62/user/year. Note that FortiNet' s model hides the ongoing support cost of the FortiToken service in the maintenance agreement on the FortiGate appliances/ FortiOS updates and support, so the one-time €62 cost I' ve been quoted for FortiTokens is not the whole story. And I remind us all that the FortiNet pricing is for soft tokens, whereas the Verisign VIP pricing example I found is for physical tokens. I' m also rather curious about your repeated assertion that the OTP Seed is better protected with FortiNet than with e.g. Google. Could you explain in technical detail please? Then we can really dig in to whether the extra level of security in fact matters to the vast majority of users; I doubt that the real security difference in fact would be important, if the users really understood the ins and outs of it. thank you, -Jay
Jay_Libove
Contributor

One more thing that comes to mind, FortiNet itself doesn' t need to be involved in a 2-factor authentication solution at all. The FortiGate appliance is the seed and authentication server. A FortiToken or Google Authenticator or any other OAUTH compliance soft token is the end-user device. The communication goes over the same Internet connection which the user and the FortiGate must have in order for the whole idea to be useful anway. So for FortiGate to put itself in the middle, and offer an expensive service, and not include the 2-factor server in FortiOS for those customers who are happy to run it themselves, seems to me to just be a way to try to squeeze more money out of the customers, without providing additional value. (It also makes FortiNet' s servers a potential point of failure).
dred_FTNT
Staff
Staff

Jay, FortiToken Mobile is a FREE application. Free Tokens for Google, DropBox, etc (i.e., any free tokens that are supported in Google Authenticator -GA) can be easily provisioned to FortiToken Mobile for FREE. Your assumption about FortiNet NOT allowing you to use two step verification options for FREE as you can with GA is not true. BTW, note that some of the services you mentioned, like LinkedIn, provide two step verification only via SMS and you cannot use GA (or any other OTP generator app) to generate the codes (at least according to their help pages). Back to my point: You can use FortiToken Mobile for FREE with the same FREE tokens you can get for use with GA. And, if you want to use Fortinet soft tokens to protect your own network assets, the first two are FREE and the rest you pay for, just like any other commercial 2FA/token vendor. We have done extensive pricing analysis and are confident we are the most economical against other top 2FA vendors like RSA and Vasco.
David Redberg Fortinet Product Manager
Jay_Libove
Contributor

Dred, let' s clarify. I am NOT talking about whether the FortiToken app may be used as an OAUTH compatible client for other sites and services. I am only talking about 2-factor authentication for VPN access to my network through my FortiGate appliance. So, please, stop insisting that " my assumption" , etc is incorrect, as that is not my assumption. It isn' t what I' m talking about at all. You note extensive pricing analysis, without responding to the concrete case that I noted a couple of posts back of pricing by Verisign VIP for hardware tokens cheaper than today' s FortiNet pricing for software tokens. You also have not responded to my challenge about the " extra security" you claim of the FortiToken seed model as to 1) whether/how it really is more secure in a meaningful way to the great majority of users; and 2) even if it is in fact more secure, whether the things it is more secure against 2a) matter to most users, and even if it matters to many users whether 2b) it matters enough to justify its higher cost. Even if all of the above remains true (which I doubt, and I continue to ask FortiNet to answer), there still remains the fact that just because it can be done this way (and be a revenue stream for the vendor) does not mean that it must be done this way. I remain unconvinced that FortiNet' s token service and pricing model is anything more than an artificially captive extra revenue stream. Convince me otherwise, with details and facts, please. Thank you,
dred_FTNT
Staff
Staff

we' ll just have to agree to disagree. but i' ll try one more time to answer your concerns: first of all the, the organization for authentication interoperability standards is OATH, not OAUTH. OAuth is an open standard for authorization, something completely different. second, what other firewall/VPN vendor offers free tokens for 2FA? Not Cisco, not Checkpoint, not Juniper, not anyone. Fortinet is the only vendor that offers two free tokens with their devices. If you don' t want Fortinet tokens fro use with your FortiGate, then use someone else' s, like Vasco, Safenet or RSA. But you will still have to pay those vendors. As for pricing analysis, that is highly proprietary and is not something to share in a public forum. And there is always a difference between " List" and " street" price. And there are tons of pricing gimmicks and games, such as server costs and annual subscription fees. So an apples-to-apples comparison is not trivial. A quick Google search reveals this link to a cost comparison from Yubico, who claims the YubiKey has the lowest total fees and annual total cost per credential. http://www.yubico.com/products/comparison/cost/ Their annual soft token cost is $38 PER YEAR. As for security, the token in 2FA is the second factor, the " something you have" factor. If that factor is able to be copied, it is no longer meeting the definition of 2FA and is not secure in that sense. Tokens installed on GA are easily copied. I can load the same token on multiple instances of GA thereby breaking the second factor rule. Further, GA tokens can be easily stolen through shoulder surfing. The same is not true for FortiToken Mobile because of the way FTM tokens are generated, transmitted and provisioned. They seeds are never visible and they can only be activated one time. Fortinet does not charge extra for security. Fortinet is a security company and bakes security into every product. It is part of the Fortinet DNA.
David Redberg Fortinet Product Manager
Jay_Libove
Contributor

You' re right, we' ll have to agree to disagree.
ispcolohost
Contributor

Jay Libove wrote:
Since FortiToken is OAUTH compliant, can we not use Google Authenticator instead? Anyone been able to work that out? thanks,

Jay, did you ever find a solution for this?  I just deployed some Fortigates (200D's) and I'm getting a lot of flack over not supporting Google Authenticator since the company uses it extensively for applications they've built and doesn't want to deal with multiple tokens/devices.

emnoc
Esteemed Contributor III

If  I recall correct Google Authenticator is not opensource, so how much work it would take to get it working or to fix any issues, might become a issue later on.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ispcolohost

emnoc wrote:

If  I recall correct Google Authenticator is not opensource, so how much work it would take to get it working or to fix any issues, might become a issue later on.

 

I believe it is open source (https://github.com/google/google-authenticator-android/), not that that matters since TOTP is a standard:

 

http://en.wikipedia.org/w...ime_Password_Algorithm

 

Google Authenticator is just one of many that implement it, but it's nice and convenient so a lot of companies I work with are already using GA for numerous other things and do not want to deal with the hassle of managing multiple tokens per employee, etc.

 

 

Labels
Top Kudoed Authors