Fortinet FortiToken™ 200 Two-Factor Authentication
One Time Password Token for Strong Authentication

Overview:

The FortiToken-200 allows organizations to deploy a two-factor authentication solution. It is an easy-to-use, one-time password (OTP) token that reduces the risk of compromise created by alternative single-factor authentication systems relying on, for example, static passwords. The FortiToken enables administrators with the need for two-factor authentication to offer enhanced security for both remote and on-premise users. The FortiToken-200 is a part of Fortinet's broad multi-factor authentication product strategy; it ensures that only authorized individuals access your organization's sensitive information -- enabling business, protecting your data, lowering IT costs, and boosting user productivity.

You cannot always trust your users with your network security. Relying solely on static passwords for remote access to your VPN and web sites provides only weak authentication because your users' passwords are vulnerable to theft or guessing, as well as dictionary and brute-force attacks. No matter the size of your network, easy-to-use-and-deploy One Time Password (OTP) tokens let you solve this problem affordably by adding a second factor for strong authentication.

FortiToken-200 Features & Benefits:

• Extremely secure, strong authentication using OTP tokens ensures a high degree of identity certainty and enhances online trust
• Totally scalable security solution meets compliance requirements (e.g., HIPAA, PCI, FFIEC) and industry best-practices for all deployment sizes
• Long battery life, perpetual license, simple deployment model, and minimal required infrastructure gives you low cost of ownership for your strong authentication solution
• Zero client footprint lets you easily administer tokens for your remote users while the low learning curve ensures quick and painless adoption by end-users
• Tokens can be used for authentication to multiple online systems, and you can quickly reassign them among users, protecting your investment
• Highly secure seed delivery options allow you to manage your tokens flexibly in the way that makes most sense for your network operations and security requirements

Leverage Existing Fortinet Platforms

Each FortiGate™ consolidated security platform is able to provide an integrated authentication server. Combining this authentication capability with the FortiToken eliminates the need for the external server typically required when implementing two-factor solutions.

The short-lived, time-based token adds strong authentication to secure remote Virtual Private Network (VPN) IPSEC access, SSL VPN access, Wi-Fi Captive Portal network logon and FortiGate Administrator login. The token always remains synchronized with the FortiGate controller.

Seeds Managed by FortiGuard®

The FortiGuard™ Center maintains your token seeds in a cloud-based repository. Once a FortiToken has been registered, FortiGuard securely distributes the necessary token seeds to FortiGate to complete the process. When required by identity based security policies, the FortiGate is able to verify the users 6-digit OTP against its own database.

Standards and AAA Servers Compatibility

The FortiToken-200 is compatible with popular on-premise and remote access servers including Active Directory, LDAP and RADIUS. The FortiGate maintains the backend communication with these servers and at the same time manages the second factor authentication with the users. Moreover in combination with FortiGate, the token complies with OATH standards.

Resilient Design

The FortiToken-200 comes in tamper-resistant/tamper-evident packaging for additional security. The token also has a tamper-proof memory design which protects the internal synchronous dynamic password generator.

FortiClient PC Benefits:

• Reduces costs and complexity by using your existing FortiGate as the two-factor authenticator
• Token seed repository by FortiGuard™ minimizes provisioning headaches
• Perpetual token license eliminates annual subscription fees
• Low cost of entry with scalability

FortiClient PC Features:

• Integrated with FortiClient™ and protected by FortiGuard™
• Standards-compliant
• Synchronized with FortiGate® OTP dbase
• Short-duration (60-seconds), time based , 6-digit password

Deployment Scenarios:

SSL-VPN web login example

1. IT purchases a pool of tokens and enters each tokens Serial number into the FortiGate GUI or CLI
   
   
2. FortiGate validates the serial numbers against FortiGuard Center and securely downloads and stores the seed files in encrypted format
   
   
3. In HA mode the Token Seed and Serial numbers are automatically synchronized
   
   
4. After seed files download, the tokens are activated and ready for assignment to users. IT selects each user that should undergo 2-factor authentication

Product Comparison:

FortiToken vs. RSA SecureID

FortiToken-200	RSA-Secure ID
Tokens don't expire	SecureID tokens expire
OTP only when button pushed	One-time password always shown
Long battery life	Limited battery life
FortiGate validates token	External Ace server required
Scalable to all customer sizes	Server cost high for certain markets
Affordable token pricing	Expensive tokens

Not only does FortiToken overlay the existing FortiGate deployment, but also it requires no external server and comes with perpetual license

Specifications:

FortiToken-200
Embedded Security Algorithm	OATH TOTP Time-based
Component	Built-in Button 6 Character LCD Screen Globally Unique Serial Number
Battery Lifetime	Up to 5 Years / Up to 14000 dynamic passwords
Operating Temperature	-10°C to 50°C
Storage Temperature	-20°C to 70°C
Water-Resistant	IP68 (Ingress Protection)
Casing	Hard Molded Plastic (ABS) Tamper-Evident/Tamper-Resistant
Secure Storage Medium	Static Random Access Memory (RAM)
Battery Type	Standard Lithium Battery
Hardware	RoHS Compliant

Scalability:

Examples of Platform Scalability
FortiGate Model	FortiWiFi Model	Max Number of FortiTokens
FortiGate-20C FortiGate-50B	FortiWiFi-20C FortiWiFi-50B	20
FortiGate-60B/60C FortiGate-80C	FortiWiFi-60C FortiWiFi-80C	500
FortiGate-40C FortiGate-110C/FortiGate-111C FortiGate-200B/FortiGate-200B-POE FortiGate-310B/FortiGtate-311B FortiGate-620B/FortiGate-621B FortiGate-800	FortiWiFi-40C	1000
FortiGate-1240B FortiGate-3016B FortiGate-3040B/FortiGate-3140B FortiGate-3600A		5000
FortiGate-3810 FortiGate-3950B/FortiGate-3951B FortiGate-5001A/FortiGate-5001B		5000

Documentation:

Download the Fortinet FortiToken Datasheet (PDF).