Table of Contents
Problem Description
This article describes how to enable users to re-provision their FortiToken Mobile or use temporary email or SMS tokens if the previously provisioned mobile device is lost or unavailable.
Scope
FortiAuthenticator, Self-Service portal, reprovisioning of Tokens.
Solution
It is possible to re-provision FortiToken to users in the event that an already provisioned mobile device is unavailable, damaged, dysfunctional, or lost. In addition to giving end users more flexibility, this will result in fewer administrative tasks and/or helpdesk tickets.
Configuration
If the FortiAuthenticator self-service portal is already being used, several options can be enabled to leverage this feature. If there is no self-service portal available, follow the instructions below to create it first:
Step 1: Login to FortiAuthenticator and navigate to Authentication > Portals > Create New.
Set the necessary options under FortiToken Revocation and give portal a name. For the purposes of this article, we are only enabling options related to FortiToken revocation and Token Registration.
Step 2: Under Pre-Login Services, enable the following options:
- Allow users to temporarily use email token authentication if an email was pre-configured.
- Allow users to re-provision their FortiToken Mobile.
Under Post-Login Services, enable Allow FortiToken Mobile self-Provisioning.
Select OK to save the configurations.
Step 3: Next, create policies for this recently created portal. Navigate to Portals > Policies > The next. On the top right, ensure Self-Service Portal is enabled. Select Create New.
Write the name of the Portal Policy and select the recently created portal from the drop-down list.
Note: the URL path. It will be used to access this portal.
For the purpose of demonstration, ‘Local Users’ of FortiAuthenticator are shown here. In a production environment, there may be multiple ‘realms‘ and multiple groups.
Step 4: Select the required authentication factors and select Save and exit.
Note: Ensure that there is already an active FortiToken assigned to the user and that an email address is also set under user properties:
Scroll down and, under User Information, please ensure that an email address is configured.
After completing these steps, end users will use the Portal address to login to the self-service portal. In this case, the following is the URL address under the portal:
User login
Now, users can log in to the portal with their credentials.
Once the credentials are verified, the user can select ‘Lost my token‘.
A new window will appear, prompting the user for the options set earlier in the portal. Select Re-provision my FortiToken Mobile and select OK.
A ‘FortiToken Mobile has been re-provisioned‘ will appear. The user will then receive an email for the activation of FortiToken Mobile. This can also be seen in the FortiAuthenticator logs:
If the user selects ‘Switch to email authentication‘, an email will be sent to the already configured email address. Now, every time the user makes a login attempt, an email with the Token code will be sent. The user will have to enter that token to login after credentials are verified.
In some cases, the user may have changed their mobile device. They can log in to the self-service portal and provision their new device, eliminating the need to involve an IT administrator or the helpdesk.
To do this, upon logging in as a user, select ‘Multi-Factor‘:
Next, select FortiToken > Mobile. Under the activation delivery method, select Email or Scan QR Code and select OK.
The user can now re-provision FortiToken for their mobile device. They must first download and install FortiToken Mobile on their mobile device to scan the QR Code provided:
Once the code is activated, the user can use the FortiToken app to approve logins on all applications where FortiAuthenticator Token-based authentication is configured.