Recently, I have had a chance to interact with FortiIdentity Cloud which is Fortinet’s replacement for FortiToken Mobile. In this use case, I simply needed MFA with FortiTokens and SMS, and have not used any of the other features of FortiIdentity Cloud. In this situation, one user had a very old phone which did not support the FortiToken app, so SMS was required. SMS is considered a very poor choice for MFA security and is much less preferred over tokens. In this use case, only local accounts were used and no centralized user repository like Radius or Active Directory was used.
What I found is that SMS authentication can be configured only by the root FortiIdentity Cloud admin account. Delegated administrators have limited visibility and cannot modify the Authentication Type for all users.
Steps to enable SMS authentication for a user:
- Create or sync the user on the FortiGate. This can be a FortiGate admin user or VPN user locally created on the firewall.
- The user will automatically appear in FortiIdentity Cloud.
- Log into FortiIdentity Cloud using the root admin account.
- This account is required to view all synchronized users.
- Open the user profile and change Authentication Type → SMS.
- Note: All new users default to FortiToken.
- Save the configuration. The user can now authenticate with SMS OTP.
- Note: Nothing special was required to be done on the FortiGate when creating this user. You don’t have to specify SMS authentication via the CLI, just add in the phone number and choose SMS. It will default to use FortiToken, but you don’t have to change this on the firewall itself. That change solely occurs in FortiIdentity Cloud in this case.