Select the method that FTC uses to further authenticate your end-users upon receiving their login credentials (i.e., username and password).

• FTM (default)—FTC sends a unique one-time passcode (OTP) to the FortiToken Mobile app on end-users' smart phones.

  Note: This option requires that your end-users must have the FortiToken Mobile app installed on their smart phones.

• SMS—FTC sends an OTP via text message to your end-users' smart phones. Upon receiving the OTP, the end-user must enter it on the log-in page to gain access to the auth client.

  Note: To use this option, FTC must have the end-users' valid smart phone numbers in its database.

• Email—FTC sends a unique OTP to the end-users' email addresses on file. The users then have to manually copy and past the OTP to FTC to gain access to the auth client (i.e., FGT or FAC).
• FTK—FTC requires end-users to provide the OTP generated by their FortiToken (hardware token) for MFA.

  Note: To use this option, the FTC admin must first add the serial numbers of the FortiTokens to FTC, and assign them to the end-users. Upon receiving an end-user's username and password, FTC prompts the user for an OTP from the FortiToken device. The user must press the FortiToken to get the OTP, and then manually enters it. See Hardware Tokens. Also, when FTK is set as the MFA method for a realm, you can let FTC automatically assign FTKs to selected users by clicking the Auto-assign FTK button on the Users page. See Users.

Click above the horizontal line and specify the number of failed login attempts allowed before lockout. Valid values range from 1 to 25. The default is 7.

Note: FTC does not allow locked users to authenticate. Instead, it displays the message "Locked, please try again in <lockout interval> minutes."

Click above the horizontal line and specify a lockout period, which ranges from 60 to 7,200 seconds. The default is 60 seconds.

Enable or disable bypass.

• Enable—End-users can bypass MFA. If enabled, you must also set the Bypass Expiration Time, as described below.
• Disable (default)—End-users cannot bypass MFA.

Note: If Enable Bypass is disabled on the Settings page, the admin user can not enable bypass for FTC end-users on the Users page. See Users.

(Available only when Enable Bypass is enabled.) Specify the length of time bypass remains in effect. Valid values range from 5 minutes to 72 hours. The default is 1 hour (3,600 seconds).

Enable or disable the Auto-alias by Email feature.

Note: The feature is disabled by default. For more information, see Enable Auto-alias by Email.

HIGH (fortbid all replays) — The authentication follows the current mechanism and does not allow any OTP replay.

MEDIUM (ignore FTM push replay) — The authentication counts OTP replays for manual input only. All the requests from push authentications are not counted and are not restricted by OTP replay protection.

LOW (ignore FTM/FTK auth relpay) — OTP replay protection is disabled.

Note: For email and SMS, OTP replay are always be rejected no matter what the setting is.