Dear Tanr,

I have configured the NAT for reply Push Notification from FortiToken Mobile. However when we tried by access the VPN via the 2 factor authentication. we don't get even the notification on the mobile. I think the fortitoken hasn't sent out the notification to fortitoken mobile.

Your FortiAuthenticator needs to actually be able to call out to DNS and to the Apple/Android notification servers. 

Have you verified that it can do so?

Remember that PUSH notifications are not a good way of performing two factor.  You should require them to type in the token code.  PUSH notifications compromise the human over and over again.

Hi cbabfat,

could you explain your opinion a little bit more ?

So far I do not see much of an issue here. - your device still needs to have requested token - your FortiToken Mobile app can be protected by PIN or biometrics (TouchID, FaceID or so) - that PIN protection can even be enforced by FortiAuthenticator - you still needs to unlock your device to run app

- PUSH notification is supposed to arrive to a single device, identified by two device identifiers which were colelcted during token activation on the device

- even FortiAuthenticator/FortiGate communication towards notification centers of Apple/Google is encrypted and parties are verified by certificates

- communication from client to FortiAuthenticator/FortiGate (responses from FortiToken Mobile app) are also encrypted

- therefore from my point of view there is reasonable amount of sec processes applied and I do see it even more secure then anything else, or would you like to have token delivered in plain SMS ?

I don't, regardless it is still better then having no second factor auth at all.

.. so where do you see attack vector ?

Because I said they compromise the HUMAN, not the technology.

I have experienced it with phonefactor years ago, and it is the same with PUSH notifications now.  Blow up a user's cell phone with PUSH notifications and they will hit approve the PUSH accidentally or intentionally to get rid of the notification.

With phonefactor, we had a user that kept getting phone calls to authenticate.  ((After logging into two factor systems like OWA, VPN, RDP, you received a phone call and pressed pound to authenticate.))  The user pressed pound to get the phone calls to stop.  Thousands of emails sent later, the account was shutdown.

PUSH notifications are bad.  It doesn't mean people, companies, etc. will not accept the risk and use them for user convenience.  The fact is they should not be used when the simple workaround is opening the fortitoken app and typing in your token code into whatever system.

When allowed, it is something we attempt in pentests ...and it works.

Chris

OK, got it. We will see. Some people tend to abuse anything they think can make them rich fast.

However, pushing a notification to cell through service on Fortinet side, via pre-authorized contract and path towards Apple/Google notification centers is a bit harder to orchestrate then simple phone call with DTMF.

Not sure how it's on Android, but I guess it can also restrict who and which notifications your device will listen to and display.

So I'm not worried that much.

One question I have on this is that this requires the FortiAuthenticator to be exposed to the Internet whether that be natively via it's public address and port 443 or via a NAT translated/port map option. Either way traffic will hit the FortiAuthenticator from the outside on 443 that previously would not have.  It seems we have no way of stopping any illegitimate 443 traffic getting to the FortiAuth on a firewall that sits in front of it? You have to open the FortiAuth for ALL ips which to me seems a little bit dangerous.  Happy to be reassured :0)

I want to turn this on and my customers want me to turn it on but it does make me a little nervous.