Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nehpets
New Contributor

Why are FortiToken registration messages not standards compliant?

I already have a mobile authenticator app that I use for the rest of my OATH-compatible rolling codes.  Why does the QR code received from Fortinet not work with a standard app?

 

I have no desire to install Fortinet's app for a single code.

1 REPLY 1
pminarik
Staff
Staff

"Unique token provisioning service via FortiGuard™ minimizes provisioning overhead and
ensures maximum seed security"
"Patented cross platform token transfer"

ref: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortitoken.pdf

 

I was told ages ago that the activation mechanism is supposedly patented. It is said to increase the security of the seed. The QR code is merely the activation ASCII string which is only the FortiGuard activation server understands. So presumably the user can't leak/share the seed, even if they wanted to.

 

Note that the seeds can be retrieved in a standard manner (which can eventually be used to import it into a generic third-party app), but this is only available with FortiAuthenticator - https://docs.fortinet.com/document/fortiauthenticator/6.5.3/rest-api-solution-guide/829822/local-use... (section "Third-party integration: FTM provisioning")

[ corrections always welcome ]
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors