Hot!Google Authenticator instead of FortiToken?

Page: 12 > Showing page 1 of 2
Author
Jay Libove
Silver Member
  • Total Posts : 120
  • Scores: 8
  • Reward points: 0
  • Joined: 2013/06/04 08:02:40
  • Status: offline
2013/08/14 06:04:24 (permalink)
0

Google Authenticator instead of FortiToken?

Since FortiToken is OAUTH compliant, can we not use Google Authenticator instead?
Anyone been able to work that out?

thanks,
#1

20 Replies Related Threads

    Dipen
    Gold Member
    • Total Posts : 305
    • Scores: 4
    • Reward points: 0
    • Joined: 2013/06/17 07:24:49
    • Location: Muscat; Oman
    • Status: offline
    RE: Google Authenticator instead of FortiToken? 2013/08/15 11:04:36 (permalink)
    0
    Not sure if Google Authenticator is supposed to work with 3rd Party Applications.
    I am using it for Google Applications currently...Its very good.

    Ahead of the Threat.
    FCNSA v5 / FCNSP v5
    Fortigate 1000C / 1000D / 1500D
     
    #2
    Jay Libove
    Silver Member
    • Total Posts : 120
    • Scores: 8
    • Reward points: 0
    • Joined: 2013/06/04 08:02:40
    • Status: offline
    RE: Google Authenticator instead of FortiToken? 2013/08/20 01:08:20 (permalink)
    0
    Google Authenticator is used by many non-Google sites. Amazon AWS, for example. And Microsoft Hotmail (' scuse me, " outlook.com" ). And LastPass. And Facebook. And....

    So, yes, it could be made to work with FortiGate.

    The question is, why doesn' t FortiNet enable it?
    #3
    dred_FTNT
    optimizzz
    • Total Posts : 17
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/01/20 10:15:44
    • Status: offline
    RE: Google Authenticator instead of FortiToken? 2013/08/22 11:41:32 (permalink)
    0
    Fortinet offers FortiToken Mobile (FTM) as its mobile OTP app. FTM is more secure than Google Authenticator in the way the OTP seeds (shared secrets) are provisioned to the app. GA simply accepts base32 encoded seed values, which make the tokens on GA vulnerable. FTM uses dynamic seed creation and transmits the seeds in AES encrypted format to the app, where the seeds are encrypted and bound to the device.

    FTM version 2 for iOS and Android (BB10 is coming) supports third party tokens (Google, Dropbox, Amazon, etc.), all for free. So why not use FTM instead of GA?
    #4
    Jay Libove
    Silver Member
    • Total Posts : 120
    • Scores: 8
    • Reward points: 0
    • Joined: 2013/06/04 08:02:40
    • Status: offline
    RE: Google Authenticator instead of FortiToken? 2013/08/23 03:05:46 (permalink)
    0
    Hi dred,
    I' m not sure, when you say " FTM version 2 .. supports third party tokens .... So why not use FTM instead of GA?" , whether you are saying that I can use FTM for free in whatever quantity I want with my FortiGate 100D appliance. I doubt it, based on the exorbitant price quote I got from my local FortiNet partner for FortiToken licenses this week.

    Even if FTM is slightly more secure, we' re not looking for perfect security, we' re looking for useful security against far-remote attacks. A token, any token, Google Authenticator or FortiToken Mobile, for us is principally to prevent the theft of a password from being sufficient to gain remote access to our resources. FTM (on device) being more secure than GA (on device) is of little concern to me, as if the device itself is lost or stolen, the principal security control is that the employee promptly report the loss/theft and we disable the credential. (That said, it would be good for Google to add a PIN option).

    My goal is to not have to pay €80/soft token to FortiNet for a service which many other sites offer for free.

    We always have to remember, as security people, that security does not exist in a vacuum. Security generally should not be ' perfect' because that will almost surely impose costs in money and/or usability which are unsustainable to our organizations.

    So, are you saying that I can add however many more token users I want to my FG100D for free? .. or just that I could use FortiToken Mobile instead of Google Authenticator for non-FortiNet things (which is of no interest to me).

    thanks,
    -Jay



    ORIGINAL: dred

    Fortinet offers FortiToken Mobile (FTM) as its mobile OTP app. FTM is more secure than Google Authenticator in the way the OTP seeds (shared secrets) are provisioned to the app. GA simply accepts base32 encoded seed values, which make the tokens on GA vulnerable. FTM uses dynamic seed creation and transmits the seeds in AES encrypted format to the app, where the seeds are encrypted and bound to the device.

    FTM version 2 for iOS and Android (BB10 is coming) supports third party tokens (Google, Dropbox, Amazon, etc.), all for free. So why not use FTM instead of GA?

    #5
    dred_FTNT
    optimizzz
    • Total Posts : 17
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/01/20 10:15:44
    • Status: offline
    RE: Google Authenticator instead of FortiToken? 2013/08/23 11:15:53 (permalink)
    0
    Jay,

    Fortinet, like any other vendor of Two Factor Authentication (2FA) systems, including RSA, Vasco, Safenet, etc., charges for tokens (hard and soft). In fact, Fortinet is the most economical choice in terms of total cost of ownership, especially in the case of using the FortiGate as the authentication server (since the function is built in and there is no additional license for a separate piece of hardware or software). If you purchased another vendor' s 2FA product for your network whether it be to add strong authentication to a Fortinet, Checkpoint, Cisco or whosoever VPN/Firewall, you would pay for tokens and the authentication server, as well as ongoing support.

    Also, please note that Fortinet provides TWO FREE FTM TOKENS with every FortiGate (or FortoGate HA cluster) on FortiGate FOS 5.0 and up.

    So what I' m saying is that if you want to add a One Time Password solution to your FortiFGate, and you are using FTM v2, you can use the same app for your Third Party tokens as well. And you can have two free Fortinet FTM tokens per FortiGate.

    As for security not having to be perfect, I agree. There is always the tradeoff between security and usability. But Google is not a security company. Fortinet is. Protecting the OTP seed is of the utmost importance to many customers. Therefore Fortinet provides a more secure mobile token app that is as easy to use as GA, if not easier.

    -D
    < Message edited by dred -- 8/23/2013 11:46:36 AM >
    #6
    Jay Libove
    Silver Member
    • Total Posts : 120
    • Scores: 8
    • Reward points: 0
    • Joined: 2013/06/04 08:02:40
    • Status: offline
    RE: Google Authenticator instead of FortiToken? 2013/08/28 08:58:53 (permalink)
    0
    It' s lovely that FortiNet provides a more secure (than I need nor want to pay for) token option for those clients who need/want/are willing to pay for it.

    What I' m complaining about is that FortiNet does NOT allow us to use the economical, really quite secure (certainly enough for us) options which LinkedIn, eBay, PayPal, Facebook, and dozens of others include even in their free services - e.g. Google Authenticator.

    And even for those for whom the extra security is justified (although, see later discussion/challenge below) I can' t believe that €80/token in small quantities [5], or €62/token in moderate quantities [100] is so economical as you say. It took some work, but I finally found a document (two years old, so the prices if anything should be cheaper now) showing an actual price model for the Verisign VIP hosted token service, for the UK government. At the size of a 100-user deployment, the setup fee is £32/user (£3205 total setup), plus an annual token fee of £9,62/token. In other words, acquisition cost including first year support £42 followed by £9,62/user/year. Note that FortiNet' s model hides the ongoing support cost of the FortiToken service in the maintenance agreement on the FortiGate appliances/ FortiOS updates and support, so the one-time €62 cost I' ve been quoted for FortiTokens is not the whole story. And I remind us all that the FortiNet pricing is for soft tokens, whereas the Verisign VIP pricing example I found is for physical tokens.

    I' m also rather curious about your repeated assertion that the OTP Seed is better protected with FortiNet than with e.g. Google. Could you explain in technical detail please? Then we can really dig in to whether the extra level of security in fact matters to the vast majority of users; I doubt that the real security difference in fact would be important, if the users really understood the ins and outs of it.

    thank you,
    -Jay
    #7
    Jay Libove
    Silver Member
    • Total Posts : 120
    • Scores: 8
    • Reward points: 0
    • Joined: 2013/06/04 08:02:40
    • Status: offline
    RE: Google Authenticator instead of FortiToken? 2013/08/28 09:07:13 (permalink)
    0
    One more thing that comes to mind, FortiNet itself doesn' t need to be involved in a 2-factor authentication solution at all. The FortiGate appliance is the seed and authentication server. A FortiToken or Google Authenticator or any other OAUTH compliance soft token is the end-user device. The communication goes over the same Internet connection which the user and the FortiGate must have in order for the whole idea to be useful anway.
    So for FortiGate to put itself in the middle, and offer an expensive service, and not include the 2-factor server in FortiOS for those customers who are happy to run it themselves, seems to me to just be a way to try to squeeze more money out of the customers, without providing additional value. (It also makes FortiNet' s servers a potential point of failure).
    #8
    dred_FTNT
    optimizzz
    • Total Posts : 17
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/01/20 10:15:44
    • Status: offline
    RE: Google Authenticator instead of FortiToken? 2013/09/03 18:13:22 (permalink)
    0
    Jay,

    FortiToken Mobile is a FREE application. Free Tokens for Google, DropBox, etc (i.e., any free tokens that are supported in Google Authenticator -GA) can be easily provisioned to FortiToken Mobile for FREE.

    Your assumption about FortiNet NOT allowing you to use two step verification options for FREE as you can with GA is not true. BTW, note that some of the services you mentioned, like LinkedIn, provide two step verification only via SMS and you cannot use GA (or any other OTP generator app) to generate the codes (at least according to their help pages).

    Back to my point: You can use FortiToken Mobile for FREE with the same FREE tokens you can get for use with GA. And, if you want to use Fortinet soft tokens to protect your own network assets, the first two are FREE and the rest you pay for, just like any other commercial 2FA/token vendor. We have done extensive pricing analysis and are confident we are the most economical against other top 2FA vendors like RSA and Vasco.
    #9
    Jay Libove
    Silver Member
    • Total Posts : 120
    • Scores: 8
    • Reward points: 0
    • Joined: 2013/06/04 08:02:40
    • Status: offline
    RE: Google Authenticator instead of FortiToken? 2013/09/04 07:06:46 (permalink)
    0
    Dred, let' s clarify.

    I am NOT talking about whether the FortiToken app may be used as an OAUTH compatible client for other sites and services. I am only talking about 2-factor authentication for VPN access to my network through my FortiGate appliance.
    So, please, stop insisting that " my assumption" , etc is incorrect, as that is not my assumption. It isn' t what I' m talking about at all.

    You note extensive pricing analysis, without responding to the concrete case that I noted a couple of posts back of pricing by Verisign VIP for hardware tokens cheaper than today' s FortiNet pricing for software tokens.

    You also have not responded to my challenge about the " extra security" you claim of the FortiToken seed model as to
    1) whether/how it really is more secure in a meaningful way to the great majority of users; and
    2) even if it is in fact more secure, whether the things it is more secure against
    2a) matter to most users, and even if it matters to many users whether
    2b) it matters enough to justify its higher cost.

    Even if all of the above remains true (which I doubt, and I continue to ask FortiNet to answer), there still remains the fact that just because it can be done this way (and be a revenue stream for the vendor) does not mean that it must be done this way. I remain unconvinced that FortiNet' s token service and pricing model is anything more than an artificially captive extra revenue stream.

    Convince me otherwise, with details and facts, please.

    Thank you,
    #10
    dred_FTNT
    optimizzz
    • Total Posts : 17
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/01/20 10:15:44
    • Status: offline
    RE: Google Authenticator instead of FortiToken? 2013/09/04 13:13:59 (permalink)
    0
    we' ll just have to agree to disagree. but i' ll try one more time to answer your concerns:

    first of all the, the organization for authentication interoperability standards is OATH, not OAUTH. OAuth is an open standard for authorization, something completely different.

    second, what other firewall/VPN vendor offers free tokens for 2FA? Not Cisco, not Checkpoint, not Juniper, not anyone. Fortinet is the only vendor that offers two free tokens with their devices. If you don' t want Fortinet tokens fro use with your FortiGate, then use someone else' s, like Vasco, Safenet or RSA. But you will still have to pay those vendors.

    As for pricing analysis, that is highly proprietary and is not something to share in a public forum. And there is always a difference between " List" and " street" price. And there are tons of pricing gimmicks and games, such as server costs and annual subscription fees. So an apples-to-apples comparison is not trivial.
    A quick Google search reveals this link to a cost comparison from Yubico, who claims the YubiKey has the lowest total fees and annual total cost per credential.
    http://www.yubico.com/products/comparison/cost/
    Their annual soft token cost is $38 PER YEAR.

    As for security, the token in 2FA is the second factor, the " something you have" factor. If that factor is able to be copied, it is no longer meeting the definition of 2FA and is not secure in that sense. Tokens installed on GA are easily copied. I can load the same token on multiple instances of GA thereby breaking the second factor rule. Further, GA tokens can be easily stolen through shoulder surfing. The same is not true for FortiToken Mobile because of the way FTM tokens are generated, transmitted and provisioned. They seeds are never visible and they can only be activated one time. Fortinet does not charge extra for security. Fortinet is a security company and bakes security into every product. It is part of the Fortinet DNA.
    #11
    Jay Libove
    Silver Member
    • Total Posts : 120
    • Scores: 8
    • Reward points: 0
    • Joined: 2013/06/04 08:02:40
    • Status: offline
    RE: Google Authenticator instead of FortiToken? 2013/09/05 00:42:32 (permalink)
    0
    You' re right, we' ll have to agree to disagree.
    #12
    ispcolohost
    Silver Member
    • Total Posts : 71
    • Scores: -1
    • Reward points: 0
    • Joined: 2014/11/18 08:06:51
    • Status: offline
    Re: Google Authenticator instead of FortiToken? 2014/11/18 08:09:30 (permalink)
    0
    Jay Libove
    Since FortiToken is OAUTH compliant, can we not use Google Authenticator instead?
    Anyone been able to work that out?

    thanks,



    Jay, did you ever find a solution for this?  I just deployed some Fortigates (200D's) and I'm getting a lot of flack over not supporting Google Authenticator since the company uses it extensively for applications they've built and doesn't want to deal with multiple tokens/devices.
    #13
    emnoc
    Expert Member
    • Total Posts : 5301
    • Scores: 347
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: Google Authenticator instead of FortiToken? 2014/11/18 08:54:21 (permalink)
    0
    If  I recall correct Google Authenticator is not opensource, so how much work it would take to get it working or to fix any issues, might become a issue later on.
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #14
    ispcolohost
    Silver Member
    • Total Posts : 71
    • Scores: -1
    • Reward points: 0
    • Joined: 2014/11/18 08:06:51
    • Status: offline
    Re: Google Authenticator instead of FortiToken? 2014/11/18 09:10:30 (permalink)
    0
    emnoc
    If  I recall correct Google Authenticator is not opensource, so how much work it would take to get it working or to fix any issues, might become a issue later on.

     
    I believe it is open source (https://github.com/google/google-authenticator-android/), not that that matters since TOTP is a standard:
     
    http://en.wikipedia.org/w...ime_Password_Algorithm
     
    Google Authenticator is just one of many that implement it, but it's nice and convenient so a lot of companies I work with are already using GA for numerous other things and do not want to deal with the hassle of managing multiple tokens per employee, etc.
     
     
    #15
    ispcolohost
    Silver Member
    • Total Posts : 71
    • Scores: -1
    • Reward points: 0
    • Joined: 2014/11/18 08:06:51
    • Status: offline
    Re: Google Authenticator instead of FortiToken? 2014/12/04 09:47:37 (permalink)
    2 (1)
    While trying to decide what to do, I came across some websites that suggested using a FreeRADIUS server as the authentication source as it has the ability to auth using Google Authenticator.  Point the Fortigate at the FreeRADIUS server, problem solved; two factor auth.  I'm going to give it a try and will report back.
    #16
    Hoygen
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/11 02:13:06
    • Status: offline
    Re: RE: Google Authenticator instead of FortiToken? 2018/09/21 01:47:30 (permalink)
    0
    Anyone has been able to set up google authenticator instead of fortitoken?
    #17
    emnoc
    Expert Member
    • Total Posts : 5301
    • Scores: 347
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: RE: Google Authenticator instead of FortiToken? 2018/09/21 02:59:56 (permalink)
    0
    Man this a old thread pulled way from the past. As far as Google  being less secured it's a highly recognized solution  and widely accepted.
     
    I have used 3rd party MFA solutions with  FTNT 
     
    http://socpuppet.blogspot.com/2017/04/securing-fortigate-sslvpn-with-mfa-by.html
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #18
    Joe667
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/06 08:18:57
    • Status: offline
    Re: RE: Google Authenticator instead of FortiToken? 2019/02/06 08:36:07 (permalink)
    0
    Just a quick note regarding Duo. I presently use Duo for 2FA on my SSL VPN. The plan I am on ($10/mo for each group of 10 users) is no longer offered and will be discontinued this year. To continue with Duo will be around $3/mo per user. Compared to the one-time price of a FortiToken, it's a no-brainer. To duplicate the push authentication of Duo you need to employ a FortiAuthenticator (lists at approx $3200, plus $800/year maintenance). I can't find a better deal than the Fortinet solution.
    #19
    ispcolohost
    Silver Member
    • Total Posts : 71
    • Scores: -1
    • Reward points: 0
    • Joined: 2014/11/18 08:06:51
    • Status: offline
    Re: RE: Google Authenticator instead of FortiToken? 2019/02/06 13:29:38 (permalink)
    0
    Duo is far more than just a second factor though.  For the relatively low cost, it also lets me do a large variety of other things, like not allowing a mobile device with out of date OS be used as the second factor, restrict, or require additional auth, if the request is from a certain country or non-whitelisted country, set restrictions for a given person on a per-app basis instead of them having to have one TOTP solution for Fortigate VPN, one for application X, a third for application Y, etc., log accesses in an easy to use manner, finally, it has a method for secure self re-enrollment should their primary device be rendered unusable.  If a Fortitoken app device gets lost, guess what, they're calling IT who then will likely have to walk through a cumbersome set of steps to truly auth that user and get them a new Fortitoken code, or if the device is stolen, now you have to find a firewall admin to deal with locking the old token out, there's no good audit trail, etc.  It's just a huge pain for an entity of reasonable size; Fortitoken, and FortiAuth for that matter, are not scalable or cost effective solutions; they're just a headache.
     
    Besides all that though, I'm simply annoyed that Fortinet is choosing to monetize TOTP at the expense of offering much more comprehensive security solutions; their FortiToken is nothing more than TOTP that they're not letting you have the key for.  I'd prefer to pay more for my hardware, or my support contract, and not deal with petty nickel-and- diming.
    #20
    Page: 12 > Showing page 1 of 2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5