Onboard the fortigate you have 3 native ways of doing multi-factor authentication. They used to all be available in the GUI, but have moved to CLI only. TLDR- the best method for MFA is generally regarded as token/app based as the others can be intercepted.
You have the fortitoken which can be a hard token or an app on the phone. There is also the option for email and SMS. The SMS can be using Fortinet's built in SMS gateway which is an extra license add-on or via manual SMS gateway entries.
You can set local or remote (LDAP, RADIUS, etc) users up with MFA using this method. Example CLI is below
config user local
set type password <-- this is where you could change to LDAP or RADIUS
set two-factor email <-- or set two-factor sms, or fortitoken
set email-to "firstname.lastname@example.org"
You would set up the carrier SMS gateways using "config system sms-server". For example if your email to SMS address is email@example.com
then you would create a new entry in sms-server for Carrier with an address of sms.carrier.com. The fortigate would send an email to that address which would arrive as a text message to the user.
However- in general, it is best to use a token based MFA solution where the information is not directly transmitted from the source to the user. Determined attackers have demonstrated methods to intercept MFA messages sent in this way. Many third party MFA providers like Duo and Okta provide methods to integrate with various devices including fortigates in a more secure manner that also makes the user experience better than what the fortigate can provide on its own.