Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Google Authenticator instead of FortiToken?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Google Authenticator instead of FortiToken?
Since FortiToken is OAUTH compliant, can we not use Google Authenticator instead?
Anyone been able to work that out?
thanks,
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One more thing that comes to mind, FortiNet itself doesn' t need to be involved in a 2-factor authentication solution at all. The FortiGate appliance is the seed and authentication server. A FortiToken or Google Authenticator or any other OAUTH compliance soft token is the end-user device. The communication goes over the same Internet connection which the user and the FortiGate must have in order for the whole idea to be useful anway.
So for FortiGate to put itself in the middle, and offer an expensive service, and not include the 2-factor server in FortiOS for those customers who are happy to run it themselves, seems to me to just be a way to try to squeeze more money out of the customers, without providing additional value. (It also makes FortiNet' s servers a potential point of failure).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we' ll just have to agree to disagree. but i' ll try one more time to answer your concerns:
first of all the, the organization for authentication interoperability standards is OATH, not OAUTH. OAuth is an open standard for authorization, something completely different.
second, what other firewall/VPN vendor offers free tokens for 2FA? Not Cisco, not Checkpoint, not Juniper, not anyone. Fortinet is the only vendor that offers two free tokens with their devices. If you don' t want Fortinet tokens fro use with your FortiGate, then use someone else' s, like Vasco, Safenet or RSA. But you will still have to pay those vendors.
As for pricing analysis, that is highly proprietary and is not something to share in a public forum. And there is always a difference between " List" and " street" price. And there are tons of pricing gimmicks and games, such as server costs and annual subscription fees. So an apples-to-apples comparison is not trivial.
A quick Google search reveals this link to a cost comparison from Yubico, who claims the YubiKey has the lowest total fees and annual total cost per credential.
http://www.yubico.com/products/comparison/cost/
Their annual soft token cost is $38 PER YEAR.
As for security, the token in 2FA is the second factor, the " something you have" factor. If that factor is able to be copied, it is no longer meeting the definition of 2FA and is not secure in that sense. Tokens installed on GA are easily copied. I can load the same token on multiple instances of GA thereby breaking the second factor rule. Further, GA tokens can be easily stolen through shoulder surfing. The same is not true for FortiToken Mobile because of the way FTM tokens are generated, transmitted and provisioned. They seeds are never visible and they can only be activated one time. Fortinet does not charge extra for security. Fortinet is a security company and bakes security into every product. It is part of the Fortinet DNA.
David Redberg
Fortinet Product Manager
21 REPLIES 21
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jay,
Fortinet, like any other vendor of Two Factor Authentication (2FA) systems, including RSA, Vasco, Safenet, etc., charges for tokens (hard and soft). In fact, Fortinet is the most economical choice in terms of total cost of ownership, especially in the case of using the FortiGate as the authentication server (since the function is built in and there is no additional license for a separate piece of hardware or software). If you purchased another vendor' s 2FA product for your network whether it be to add strong authentication to a Fortinet, Checkpoint, Cisco or whosoever VPN/Firewall, you would pay for tokens and the authentication server, as well as ongoing support.
Also, please note that Fortinet provides TWO FREE FTM TOKENS with every FortiGate (or FortoGate HA cluster) on FortiGate FOS 5.0 and up.
So what I' m saying is that if you want to add a One Time Password solution to your FortiFGate, and you are using FTM v2, you can use the same app for your Third Party tokens as well. And you can have two free Fortinet FTM tokens per FortiGate.
As for security not having to be perfect, I agree. There is always the tradeoff between security and usability. But Google is not a security company. Fortinet is. Protecting the OTP seed is of the utmost importance to many customers. Therefore Fortinet provides a more secure mobile token app that is as easy to use as GA, if not easier.
-D
David Redberg
Fortinet Product Manager
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It' s lovely that FortiNet provides a more secure (than I need nor want to pay for) token option for those clients who need/want/are willing to pay for it.
What I' m complaining about is that FortiNet does NOT allow us to use the economical, really quite secure (certainly enough for us) options which LinkedIn, eBay, PayPal, Facebook, and dozens of others include even in their free services - e.g. Google Authenticator.
And even for those for whom the extra security is justified (although, see later discussion/challenge below) I can' t believe that €80/token in small quantities [5], or €62/token in moderate quantities [100] is so economical as you say. It took some work, but I finally found a document (two years old, so the prices if anything should be cheaper now) showing an actual price model for the Verisign VIP hosted token service, for the UK government. At the size of a 100-user deployment, the setup fee is £32/user (£3205 total setup), plus an annual token fee of £9,62/token. In other words, acquisition cost including first year support £42 followed by £9,62/user/year. Note that FortiNet' s model hides the ongoing support cost of the FortiToken service in the maintenance agreement on the FortiGate appliances/ FortiOS updates and support, so the one-time €62 cost I' ve been quoted for FortiTokens is not the whole story. And I remind us all that the FortiNet pricing is for soft tokens, whereas the Verisign VIP pricing example I found is for physical tokens.
I' m also rather curious about your repeated assertion that the OTP Seed is better protected with FortiNet than with e.g. Google. Could you explain in technical detail please? Then we can really dig in to whether the extra level of security in fact matters to the vast majority of users; I doubt that the real security difference in fact would be important, if the users really understood the ins and outs of it.
thank you,
-Jay
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One more thing that comes to mind, FortiNet itself doesn' t need to be involved in a 2-factor authentication solution at all. The FortiGate appliance is the seed and authentication server. A FortiToken or Google Authenticator or any other OAUTH compliance soft token is the end-user device. The communication goes over the same Internet connection which the user and the FortiGate must have in order for the whole idea to be useful anway.
So for FortiGate to put itself in the middle, and offer an expensive service, and not include the 2-factor server in FortiOS for those customers who are happy to run it themselves, seems to me to just be a way to try to squeeze more money out of the customers, without providing additional value. (It also makes FortiNet' s servers a potential point of failure).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jay,
FortiToken Mobile is a FREE application. Free Tokens for Google, DropBox, etc (i.e., any free tokens that are supported in Google Authenticator -GA) can be easily provisioned to FortiToken Mobile for FREE.
Your assumption about FortiNet NOT allowing you to use two step verification options for FREE as you can with GA is not true. BTW, note that some of the services you mentioned, like LinkedIn, provide two step verification only via SMS and you cannot use GA (or any other OTP generator app) to generate the codes (at least according to their help pages).
Back to my point: You can use FortiToken Mobile for FREE with the same FREE tokens you can get for use with GA. And, if you want to use Fortinet soft tokens to protect your own network assets, the first two are FREE and the rest you pay for, just like any other commercial 2FA/token vendor. We have done extensive pricing analysis and are confident we are the most economical against other top 2FA vendors like RSA and Vasco.
David Redberg
Fortinet Product Manager
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dred, let' s clarify.
I am NOT talking about whether the FortiToken app may be used as an OAUTH compatible client for other sites and services. I am only talking about 2-factor authentication for VPN access to my network through my FortiGate appliance.
So, please, stop insisting that " my assumption" , etc is incorrect, as that is not my assumption. It isn' t what I' m talking about at all.
You note extensive pricing analysis, without responding to the concrete case that I noted a couple of posts back of pricing by Verisign VIP for hardware tokens cheaper than today' s FortiNet pricing for software tokens.
You also have not responded to my challenge about the " extra security" you claim of the FortiToken seed model as to
1) whether/how it really is more secure in a meaningful way to the great majority of users; and
2) even if it is in fact more secure, whether the things it is more secure against
2a) matter to most users, and even if it matters to many users whether
2b) it matters enough to justify its higher cost.
Even if all of the above remains true (which I doubt, and I continue to ask FortiNet to answer), there still remains the fact that just because it can be done this way (and be a revenue stream for the vendor) does not mean that it must be done this way. I remain unconvinced that FortiNet' s token service and pricing model is anything more than an artificially captive extra revenue stream.
Convince me otherwise, with details and facts, please.
Thank you,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we' ll just have to agree to disagree. but i' ll try one more time to answer your concerns:
first of all the, the organization for authentication interoperability standards is OATH, not OAUTH. OAuth is an open standard for authorization, something completely different.
second, what other firewall/VPN vendor offers free tokens for 2FA? Not Cisco, not Checkpoint, not Juniper, not anyone. Fortinet is the only vendor that offers two free tokens with their devices. If you don' t want Fortinet tokens fro use with your FortiGate, then use someone else' s, like Vasco, Safenet or RSA. But you will still have to pay those vendors.
As for pricing analysis, that is highly proprietary and is not something to share in a public forum. And there is always a difference between " List" and " street" price. And there are tons of pricing gimmicks and games, such as server costs and annual subscription fees. So an apples-to-apples comparison is not trivial.
A quick Google search reveals this link to a cost comparison from Yubico, who claims the YubiKey has the lowest total fees and annual total cost per credential.
http://www.yubico.com/products/comparison/cost/
Their annual soft token cost is $38 PER YEAR.
As for security, the token in 2FA is the second factor, the " something you have" factor. If that factor is able to be copied, it is no longer meeting the definition of 2FA and is not secure in that sense. Tokens installed on GA are easily copied. I can load the same token on multiple instances of GA thereby breaking the second factor rule. Further, GA tokens can be easily stolen through shoulder surfing. The same is not true for FortiToken Mobile because of the way FTM tokens are generated, transmitted and provisioned. They seeds are never visible and they can only be activated one time. Fortinet does not charge extra for security. Fortinet is a security company and bakes security into every product. It is part of the Fortinet DNA.
David Redberg
Fortinet Product Manager
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Literally every other firewall allows the use of standard MFA Authenticator apps
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You' re right, we' ll have to agree to disagree.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jay Libove wrote:
Since FortiToken is OAUTH compliant, can we not use Google Authenticator instead? Anyone been able to work that out? thanks,
Jay, did you ever find a solution for this? I just deployed some Fortigates (200D's) and I'm getting a lot of flack over not supporting Google Authenticator since the company uses it extensively for applications they've built and doesn't want to deal with multiple tokens/devices.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I recall correct Google Authenticator is not opensource, so how much work it would take to get it working or to fix any issues, might become a issue later on.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,738 -
FortiClient
1,775 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
562 -
FortiSwitch
476 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
320 -
6.2
251 -
SSL-VPN
248 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
206 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
105 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
80 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1732 | |
| 1105 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.