I would say absolutely that FortiToken (be it a mobile app or a physical
token) is the most secure and preferable way today for multi-factor
authentication. The other two - SMS message and e-mail message are vulnerable
to many attacks, including not so technically sophisticated SMS swapping. But
sometimes a less secure method is better than none. Two catches with using an
e-mail as MFA on Fortigate though:
- It is not available in the GUI until you turn it on at the CLI.
- e-mails tend to get delayed sometimes, and the default validity time for any Fortigate produced token code (SMS, e-mail, FortiToken) is 60 seconds. If the user doesn't enter the token code within 60 seconds of issuing - code becomes invalid. It is usually not a problem, but recently I had to enable e-mail MFA for our branch location with substantial e-mail delays being a norm. So optionally below you can find how to increase the default timeout.
- Enable e-mail option as MFA
for a user:
config user local
edit "karthi"
set type password
set two-factor email
set email-to "karthi@abc.com"
next
end
Now the option for e-mail as 2-factor authentication appears in GUI:
(Optional) Increase
token code validity from 1 to 2 minutes:
config system
global
(global) #
set two-factor-email-expiry ?
two-factor-email-expiry Enter an integer value from <30> to <300> (default =
<60>).
(global) #
set two-factor-email-expiry 120
Thanks for reading my blog.
No comments:
Post a Comment