Fortinet black logo

Administration Guide

Tokens

Tokens

To configure token policy settings, go to Authentication > User Account Policies > Tokens.

Configure the following settings:

FortiTokens
TOTP authentication window size Configure the length of time, plus or minus the current time, that a FortiToken code is deemed valid, from 1 - 60 minutes. The default is set to 1 minute.
HOTP authentication window size Configure the count, or number of times, that the FortiToken passcode is deemed valid, from 1 - 100 counts. The default is set to 3 counts.
TOTP sync window size

Configure the period of time in which the entry of an invalid token can trigger a synchronization, from 5 - 480 minutes. The default is set to 60 minutes.

If the token is incorrect according to the FortiToken valid window, but exists in the sync window, synchronization will be initiated.

HOTP sync window size Configure the count, or number of times, that the entry of an invalid token can trigger a synchronization, from 5 - 500 counts. The default is set to 100 counts.

If the token is incorrect according to the FortiToken valid window, but exists in the sync window, synchronization will be initiated.
Seed encryption passphrase Passphrase to derive a seed encryption key from, for seed returned when provisioning a FortiToken Mobile via web service (REST API).
FortiAuthenticator Agent Offline FortiToken Support
Enable offline support

Configure to allow the Windows Agent to cache future-dated tokens when the client's PC is offline. Enable this option to set the following:

Shared secret: Set the shared secret used in offline support.

TOTP cache size: Period of time after last login to pre-cache offline TOTP tokens, from 1 - 200 days. The default is set to 7 days.

HOTP cache size: Period of time after last login to pre-cache offline HOTP tokens, from 1 - 4000 counts. The default is set to 10 counts.

Enable emergency codes

Enable to allow the Windows Agent to use emergency codes.

The emergency code helps users with 2FA who may find themselves without access to FortiToken, SMS, or email.

Note: This option is disabled by default.

Emergency codes valid for

Configure the number of days for which an emergency code is valid, from 1 - 30. The default is set to 7.

FortiToken Mobile Transfer
Enable token transfer feature Enable to let users securely transfer FortiToken Mobile tokens from one mobile device to another. See Transferring FortiToken Mobile tokens from old to new devices below.
Email/SMS
Token timeout Set a time after which a token code sent via email or SMS will be marked as expired, from 10 - 3600 seconds (or one hour). The default is set to 60 seconds.

Transferring FortiToken Mobile tokens from old to new devices

Changing devices requires the user to install new tokens on their new device because the unique device ID is used to form the seed decryption key.

caution icon If you wipe data from your device, or upgrade your device, you will need to re-provision your accounts.

The option to Enable token transfer feature is available under Authentication > User Account Policies > Tokens.

If it is not enabled, FortiAuthenticator blocks all requests to Transfer Activation Code (see below).

The process for transferring a token to a new device is as follows:

  1. The end user selects a new FortiToken Mobile menu option: Initiate Token Transfer.
  2. FortiToken Mobile requests a new "Token Transfer Request" service from FortiCare, and includes the token data.
  3. FortiCare stores the token data and creates a Transfer Activation Code.
  4. FortiCare signals back to FortiToken Mobile on the old device that "Transfer Initialization" is complete.
  5. On the old device, FortiToken Mobile sends a request to FortiAuthenticator for the Transfer Activation Code.
  6. FortiAuthenticator retrieves the Transfer Activation Code from FortiCare and signals back to FortiToken Mobile (on the old device) that the Transfer Activation Code request was successful.
  7. FortiAuthenticator sends either an email or SMS to the end user with the transfer code (as a QR code in the case of email).
  8. On the new device, the end user selects the FortiToken Mobile menu option Complete Token Transfer and enters the transfer code (or scans the QR code).
  9. FortiToken Mobile receives the token data from FortiCare and installs the token(s) on the new device.
    note iconAll tokens are removed on the old device after the transfer is complete.

Tokens

To configure token policy settings, go to Authentication > User Account Policies > Tokens.

Configure the following settings:

FortiTokens
TOTP authentication window size Configure the length of time, plus or minus the current time, that a FortiToken code is deemed valid, from 1 - 60 minutes. The default is set to 1 minute.
HOTP authentication window size Configure the count, or number of times, that the FortiToken passcode is deemed valid, from 1 - 100 counts. The default is set to 3 counts.
TOTP sync window size

Configure the period of time in which the entry of an invalid token can trigger a synchronization, from 5 - 480 minutes. The default is set to 60 minutes.

If the token is incorrect according to the FortiToken valid window, but exists in the sync window, synchronization will be initiated.

HOTP sync window size Configure the count, or number of times, that the entry of an invalid token can trigger a synchronization, from 5 - 500 counts. The default is set to 100 counts.

If the token is incorrect according to the FortiToken valid window, but exists in the sync window, synchronization will be initiated.
Seed encryption passphrase Passphrase to derive a seed encryption key from, for seed returned when provisioning a FortiToken Mobile via web service (REST API).
FortiAuthenticator Agent Offline FortiToken Support
Enable offline support

Configure to allow the Windows Agent to cache future-dated tokens when the client's PC is offline. Enable this option to set the following:

Shared secret: Set the shared secret used in offline support.

TOTP cache size: Period of time after last login to pre-cache offline TOTP tokens, from 1 - 200 days. The default is set to 7 days.

HOTP cache size: Period of time after last login to pre-cache offline HOTP tokens, from 1 - 4000 counts. The default is set to 10 counts.

Enable emergency codes

Enable to allow the Windows Agent to use emergency codes.

The emergency code helps users with 2FA who may find themselves without access to FortiToken, SMS, or email.

Note: This option is disabled by default.

Emergency codes valid for

Configure the number of days for which an emergency code is valid, from 1 - 30. The default is set to 7.

FortiToken Mobile Transfer
Enable token transfer feature Enable to let users securely transfer FortiToken Mobile tokens from one mobile device to another. See Transferring FortiToken Mobile tokens from old to new devices below.
Email/SMS
Token timeout Set a time after which a token code sent via email or SMS will be marked as expired, from 10 - 3600 seconds (or one hour). The default is set to 60 seconds.

Transferring FortiToken Mobile tokens from old to new devices

Changing devices requires the user to install new tokens on their new device because the unique device ID is used to form the seed decryption key.

caution icon If you wipe data from your device, or upgrade your device, you will need to re-provision your accounts.

The option to Enable token transfer feature is available under Authentication > User Account Policies > Tokens.

If it is not enabled, FortiAuthenticator blocks all requests to Transfer Activation Code (see below).

The process for transferring a token to a new device is as follows:

  1. The end user selects a new FortiToken Mobile menu option: Initiate Token Transfer.
  2. FortiToken Mobile requests a new "Token Transfer Request" service from FortiCare, and includes the token data.
  3. FortiCare stores the token data and creates a Transfer Activation Code.
  4. FortiCare signals back to FortiToken Mobile on the old device that "Transfer Initialization" is complete.
  5. On the old device, FortiToken Mobile sends a request to FortiAuthenticator for the Transfer Activation Code.
  6. FortiAuthenticator retrieves the Transfer Activation Code from FortiCare and signals back to FortiToken Mobile (on the old device) that the Transfer Activation Code request was successful.
  7. FortiAuthenticator sends either an email or SMS to the end user with the transfer code (as a QR code in the case of email).
  8. On the new device, the end user selects the FortiToken Mobile menu option Complete Token Transfer and enters the transfer code (or scans the QR code).
  9. FortiToken Mobile receives the token data from FortiCare and installs the token(s) on the new device.
    note iconAll tokens are removed on the old device after the transfer is complete.