Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jay_Libove
Contributor

Google Authenticator instead of FortiToken?

Since FortiToken is OAUTH compliant, can we not use Google Authenticator instead? Anyone been able to work that out? thanks,
2 Solutions
Jay_Libove
Contributor

One more thing that comes to mind, FortiNet itself doesn' t need to be involved in a 2-factor authentication solution at all. The FortiGate appliance is the seed and authentication server. A FortiToken or Google Authenticator or any other OAUTH compliance soft token is the end-user device. The communication goes over the same Internet connection which the user and the FortiGate must have in order for the whole idea to be useful anway. So for FortiGate to put itself in the middle, and offer an expensive service, and not include the 2-factor server in FortiOS for those customers who are happy to run it themselves, seems to me to just be a way to try to squeeze more money out of the customers, without providing additional value. (It also makes FortiNet' s servers a potential point of failure).

View solution in original post

dred_FTNT
Staff
Staff

we' ll just have to agree to disagree. but i' ll try one more time to answer your concerns: first of all the, the organization for authentication interoperability standards is OATH, not OAUTH. OAuth is an open standard for authorization, something completely different. second, what other firewall/VPN vendor offers free tokens for 2FA? Not Cisco, not Checkpoint, not Juniper, not anyone. Fortinet is the only vendor that offers two free tokens with their devices. If you don' t want Fortinet tokens fro use with your FortiGate, then use someone else' s, like Vasco, Safenet or RSA. But you will still have to pay those vendors. As for pricing analysis, that is highly proprietary and is not something to share in a public forum. And there is always a difference between " List" and " street" price. And there are tons of pricing gimmicks and games, such as server costs and annual subscription fees. So an apples-to-apples comparison is not trivial. A quick Google search reveals this link to a cost comparison from Yubico, who claims the YubiKey has the lowest total fees and annual total cost per credential. http://www.yubico.com/products/comparison/cost/ Their annual soft token cost is $38 PER YEAR. As for security, the token in 2FA is the second factor, the " something you have" factor. If that factor is able to be copied, it is no longer meeting the definition of 2FA and is not secure in that sense. Tokens installed on GA are easily copied. I can load the same token on multiple instances of GA thereby breaking the second factor rule. Further, GA tokens can be easily stolen through shoulder surfing. The same is not true for FortiToken Mobile because of the way FTM tokens are generated, transmitted and provisioned. They seeds are never visible and they can only be activated one time. Fortinet does not charge extra for security. Fortinet is a security company and bakes security into every product. It is part of the Fortinet DNA.
David Redberg Fortinet Product Manager

View solution in original post

21 REPLIES 21
ispcolohost

emnoc wrote:

If  I recall correct Google Authenticator is not opensource, so how much work it would take to get it working or to fix any issues, might become a issue later on.

 

I believe it is open source (https://github.com/google/google-authenticator-android/), not that that matters since TOTP is a standard:

 

http://en.wikipedia.org/w...ime_Password_Algorithm

 

Google Authenticator is just one of many that implement it, but it's nice and convenient so a lot of companies I work with are already using GA for numerous other things and do not want to deal with the hassle of managing multiple tokens per employee, etc.

 

 

ispcolohost
Contributor

While trying to decide what to do, I came across some websites that suggested using a FreeRADIUS server as the authentication source as it has the ability to auth using Google Authenticator.  Point the Fortigate at the FreeRADIUS server, problem solved; two factor auth.  I'm going to give it a try and will report back.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors