Wednesday, November 29, 2017

fortitoken mobile app lockout

The fortitoken  mobile app  for example is available  from the google-playstore &  has enhance security  functions

  • fingerprint ID'ing ( optional )
  • pin ( 4 digits  only )
  • and lockout if you  execute 10 PIN insertion failures ( no controls on setting the max-failures )

First let's look at a simple  fortitoken activate and binding to a local vpn user name testtoken

The mobile app is available from the app store for downloading and only needs you to supply the activation code  and assign a name for the account

the app stored named for the account DOES NOT NEED TO MATCH THE local fortigate users 

Login into the  portal and for a quick test. Upon 1st factor you will have a input box for the token. The current OTP from the mobile app screen would be 

Now , if you mobile device is lost or stolen and some one fat fingers the passcode 10 times it will wipe itself. Before  the reset, the  mobile-app will warning you at the 8th 9th intervals.

That's the final security measures for fails PINs. If  this happens to your end_user ,you only need to reactivate the  mobil-app and token.

Ken  Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment