Fortinet black logo

Administration Guide

FortiAuthenticator 6.4.2

FortiAuthenticator 6.4.2

The following list contains new and expanded features added in FortiAuthenticator 6.4.2.

Password compliance: Password cannot be the username

FortiAuthenticator now forbids using the username as password when creating or changing passwords for local user accounts. The restriction is case-insensitive.

Mixed FIDO and OTP based authentication

FortiAuthenticator now offers new options that allow a user to log in using password and OTP when FIDO is enabled, but the FIDO keys have been revoked.

Self-service portal, captive portal, and OAuth policies now include a new Allow two-factor authentication (password and OTP) if all FIDO keys have been revoked for the user account option in the Authentication factors tab when FIDO authentication is enabled.

See Self-service portal policies, Captive portal policies, Policies.

The Authentication pane in Authentication > SAML IdP > Service Providers now includes:

  • New FIDO-only and Password and FIDO options when Authentication method is set to FIDO-only.

  • A new Allow two-factor authentication (password and OTP) if all FIDO keys have been revoked for the user account toggle when the Authentication method is FIDO-only.

See Service providers.

FIDO: Admin registers the token for a user

FortiAuthenticator now allows the admin to register a FIDO key for local and remote user accounts.

New Register FIDO key and Delete all FIDO keys buttons in the FIDO authentication toggle when creating or editing local and remote users.

See Local users and Remote users.

LDAP users: Send SMS/Email message to users after import

FortiAuthenticator now includes options to send a message to the end user when a user account is created with a valid mobile number and/or email address.

The message option includes Email, SMS, or both. The messages are customizable through replacement messages and can be sent to one or more end user accounts.

General tab in Authentication > User Account Policies is updated to include the following changes:

  • Request password reset after token verification renamed to Request password reset after OTP verification.

  • Enhanced cryptography for storage of local user passwords renamed to Enhanced cryptography.

  • Expire device login after renamed to Windows machine authentication.

  • New Send message on remote LDAP account import toggle with SMS and Email options.

  • Expire inactive RADIUS accounting session after renamed to Inactive RADIUS accounting.

  • Session duration of authenticated TACACS+ user renamed to TACACS+ authentication.

  • Look up geo-location of user IP for Web Service renamed to Use geolocation in FortiToken Mobile push notifications and available in System > Administration > System Access.

See General and System access.

New replacement messages in System > Administration > Replacement Messages to customize account import email subject, message, and the SMS. See Replacement messages.

For the remote LDAP user, the admin can manually (re)send the Email and/or SMS remote LDAP account import message to any user account using the new Notify button next to Email and Mobile number in User Information when creating or editing a remote LDAP user. See Remote users.

FTM activation window increased to a maximum of 30 days

The activation timeout window in System > Administration > FortiGuard has been increased to a maximum of 30 days. See FortiGuard.

Updated log view

The Logs tab in Logging > Log Access is updated to include the following:

  • A new Downloads dropdown that combines all the previously available header buttons.

  • A new help icon before the search bar that tells what can be looked up using the search bar.

  • Search for log records renamed to Search by substring (e.g. username).

  • A new period dropdown (clock icon) to filter logs based on time period.

  • A new Reset table column widths icon to reset the table column widths to default.

See Log access.

FortiAuthenticator 3000E: Additional user license

You can now add up to an additional 100,000 users license for FortiAuthenticator-3000E.

Sponsor portal: Segregation, auditing, and security related enhancements

FortiAuthenticator now includes a new Each sponsor only has access to guest users they created toggle in Authentication > User Account Policies > General to allow sponsors to view only those guest users created by the sponsor. See General.

For enhanced security, guest user passwords are no more visible to the sponsor when the sponsor views the guest users list. When the sponsor edits or exports guest users, user password is obfuscated by default and only visible when clicked. Upon reclicking, the password is obfuscated.

When editing a guest user, clicking the Reset Password button assigns a new password to the guest user and displays the password.

When a sponsor creates a guest user account, the guest user is automatically assigned to the sponsor creating it.

When an admin creates a guest user account, the admin can select the sponsor using the new Sponsor option.

See Guest users.

Also, the following sponsor actions now generate log events in FortiAuthenticator:

  • Creating a guest user

  • Deleting a guest user

  • Viewing a guest user

  • Modifying a guest user

  • Resetting a guest user password

  • Viewing a guest user password

  • Printing guest user credentials

  • Email guest user credentials

  • Sending guest user credentials as SMS

  • Exporting guest user credentials as a CSV file

Firmware upgrade via REST API

New upgrade endpoint to upgrade FortiAuthenticator firmware. See REST API Solutions Guide.

Self-service portal: Display FortiToken Mobile activation QR code

The self-service portal offers new options to provision the FortiToken Mobile using the QR or activation code displayed in the portal itself.

A new Scan QR code option while registering a token in a self-service portal to activate the token by scanning a QR code. When the Scan QR code option is selected, a page with the QR code appears, which can then be scanned using the FortiToken Mobile app. Alternatively, the activation code can be entered manually in the FortiToken Mobile app.

The information on the page with the QR code can be customized using the new FortiToken Mobile Activation Scan QR Message replacement message in Authentication > Portals > Replacement Messages.

Additional system information via REST API

The following new fields are available in the systeminfo endpoint:

  • users_usage_detail

  • groups_usage_detail

  • ftk_usage_detail

  • ftm_usage_detail

  • fsso_usage_detail

  • ssoma_usage_detail

For information about the new fields, see REST API Solutions Guide.

FortiAuthenticator 6.4.2

The following list contains new and expanded features added in FortiAuthenticator 6.4.2.

Password compliance: Password cannot be the username

FortiAuthenticator now forbids using the username as password when creating or changing passwords for local user accounts. The restriction is case-insensitive.

Mixed FIDO and OTP based authentication

FortiAuthenticator now offers new options that allow a user to log in using password and OTP when FIDO is enabled, but the FIDO keys have been revoked.

Self-service portal, captive portal, and OAuth policies now include a new Allow two-factor authentication (password and OTP) if all FIDO keys have been revoked for the user account option in the Authentication factors tab when FIDO authentication is enabled.

See Self-service portal policies, Captive portal policies, Policies.

The Authentication pane in Authentication > SAML IdP > Service Providers now includes:

  • New FIDO-only and Password and FIDO options when Authentication method is set to FIDO-only.

  • A new Allow two-factor authentication (password and OTP) if all FIDO keys have been revoked for the user account toggle when the Authentication method is FIDO-only.

See Service providers.

FIDO: Admin registers the token for a user

FortiAuthenticator now allows the admin to register a FIDO key for local and remote user accounts.

New Register FIDO key and Delete all FIDO keys buttons in the FIDO authentication toggle when creating or editing local and remote users.

See Local users and Remote users.

LDAP users: Send SMS/Email message to users after import

FortiAuthenticator now includes options to send a message to the end user when a user account is created with a valid mobile number and/or email address.

The message option includes Email, SMS, or both. The messages are customizable through replacement messages and can be sent to one or more end user accounts.

General tab in Authentication > User Account Policies is updated to include the following changes:

  • Request password reset after token verification renamed to Request password reset after OTP verification.

  • Enhanced cryptography for storage of local user passwords renamed to Enhanced cryptography.

  • Expire device login after renamed to Windows machine authentication.

  • New Send message on remote LDAP account import toggle with SMS and Email options.

  • Expire inactive RADIUS accounting session after renamed to Inactive RADIUS accounting.

  • Session duration of authenticated TACACS+ user renamed to TACACS+ authentication.

  • Look up geo-location of user IP for Web Service renamed to Use geolocation in FortiToken Mobile push notifications and available in System > Administration > System Access.

See General and System access.

New replacement messages in System > Administration > Replacement Messages to customize account import email subject, message, and the SMS. See Replacement messages.

For the remote LDAP user, the admin can manually (re)send the Email and/or SMS remote LDAP account import message to any user account using the new Notify button next to Email and Mobile number in User Information when creating or editing a remote LDAP user. See Remote users.

FTM activation window increased to a maximum of 30 days

The activation timeout window in System > Administration > FortiGuard has been increased to a maximum of 30 days. See FortiGuard.

Updated log view

The Logs tab in Logging > Log Access is updated to include the following:

  • A new Downloads dropdown that combines all the previously available header buttons.

  • A new help icon before the search bar that tells what can be looked up using the search bar.

  • Search for log records renamed to Search by substring (e.g. username).

  • A new period dropdown (clock icon) to filter logs based on time period.

  • A new Reset table column widths icon to reset the table column widths to default.

See Log access.

FortiAuthenticator 3000E: Additional user license

You can now add up to an additional 100,000 users license for FortiAuthenticator-3000E.

Sponsor portal: Segregation, auditing, and security related enhancements

FortiAuthenticator now includes a new Each sponsor only has access to guest users they created toggle in Authentication > User Account Policies > General to allow sponsors to view only those guest users created by the sponsor. See General.

For enhanced security, guest user passwords are no more visible to the sponsor when the sponsor views the guest users list. When the sponsor edits or exports guest users, user password is obfuscated by default and only visible when clicked. Upon reclicking, the password is obfuscated.

When editing a guest user, clicking the Reset Password button assigns a new password to the guest user and displays the password.

When a sponsor creates a guest user account, the guest user is automatically assigned to the sponsor creating it.

When an admin creates a guest user account, the admin can select the sponsor using the new Sponsor option.

See Guest users.

Also, the following sponsor actions now generate log events in FortiAuthenticator:

  • Creating a guest user

  • Deleting a guest user

  • Viewing a guest user

  • Modifying a guest user

  • Resetting a guest user password

  • Viewing a guest user password

  • Printing guest user credentials

  • Email guest user credentials

  • Sending guest user credentials as SMS

  • Exporting guest user credentials as a CSV file

Firmware upgrade via REST API

New upgrade endpoint to upgrade FortiAuthenticator firmware. See REST API Solutions Guide.

Self-service portal: Display FortiToken Mobile activation QR code

The self-service portal offers new options to provision the FortiToken Mobile using the QR or activation code displayed in the portal itself.

A new Scan QR code option while registering a token in a self-service portal to activate the token by scanning a QR code. When the Scan QR code option is selected, a page with the QR code appears, which can then be scanned using the FortiToken Mobile app. Alternatively, the activation code can be entered manually in the FortiToken Mobile app.

The information on the page with the QR code can be customized using the new FortiToken Mobile Activation Scan QR Message replacement message in Authentication > Portals > Replacement Messages.

Additional system information via REST API

The following new fields are available in the systeminfo endpoint:

  • users_usage_detail

  • groups_usage_detail

  • ftk_usage_detail

  • ftm_usage_detail

  • fsso_usage_detail

  • ssoma_usage_detail

For information about the new fields, see REST API Solutions Guide.