1CONFIDENTIAL

MULTIFACTOR AUTHENTICATION WITHFORTITOKEN &FORTIAUTHENICATOR

2

BEST PRACTICE SECURITY

“Multi-factor authentication (MFA) is one of the most effective controls an

organisation can implement to prevent an adversary from gaining access to a

device or network and accessing sensitive information.

When implemented correctly, multi-factor authentication can make it significantly

more difficult for an adversary to steal legitimate credentials to facilitate further

malicious activities on a network. Due to its effectiveness, multi-factor authentication

is one of the Essential Eight from the Strategies to Mitigate Cyber Security

Incidents.”

- Australia Signals Directorate, April 2019

3

BEST PRACTICE SECURITY

▪ Access should have at least two of the following:

» Something you know: e.g. a Personal Identification

Number (PIN), a password or a challenge question

response

» Something you have: e.g. a physical token, a smartcard, a

one-time password, or a software certificate

» Something you are: e.g. a fingerprint or an iris scan

▪ If an authentication method at any time offers the user

the ability to reduce the number of methods to a single

factor it is by definition no longer a multi-factor

authentication method. A common example of this is

when a user is offered the ability to “remember this

computer/password”

4

WHAT IS?: OATH, OTP, TOTP AND HOTP GENERATORS

▪ Open Authentication (OATH) compliance means adhering to the standards set out by the

open technology initiative that believe making authentication solutions should be

collaborate amongst security vendors not proprietary

▪ One-Time Password (OTP) is an automatically generated

numeric or alphanumeric string of characters that

authenticates against an algorithm (see below)

synchronization between the authentication server and an

OTP generator for a single transaction or login session

» TOTP: Time-based One-Time Password algorithm

» HOTP: Keyed-hash message authentication code(HMAC)-based One-

time Password algorithm

5

WHAT IS?: ONE-TIME PASSWORD TOKEN GENERATOR

▪ FortiToken 200 series performing a TOTP generation for Multi-Factor Authentication (MFA)

sometimes know as Two-Factor Authentication (2FA)

OTP token

Static Password + OTP

Validation serverTime sync with time server (NTP)

Static Password match

(e.g. Active Directory)OTP match

Algorithm Algorithm

Time TimeSpeed Speed

Same time

Same speed

6

CURRENT LANDSCAPE

▪ Google and Microsoft

Authenticators:

» Linked to staff personal

phones and personal

email address making it

hard to troubleshoot

issues

» Concerns around

harvesting of personal

data

» Limited/no logging and

reporting data to analyse

indicators of compromise

▪ LastPass password

manager:

» A good step in the

direction of credential

management but

becomes an additional

bolt-on product without

much interoperability and

management to rest of IT

» Non-perpetual high cost

subscription per user

starting at $3AUD per

month ($1800 per year

for 50 staff)

▪ Nothing:

» No password policy

means that many

businesses are leaving

the front door to their IP

wide open to attack

» Default admin

credentials, no password

strength enforcement and

staff storing passwords in

word docs on desktop

» Too many passwords to

remember has led staff to

create unsafe habits

7

Fortinet Recognized as a Leader

Marks 10th time in a row that Fortinet is in the Magic Quadrant for Network Firewalls

8

▪ Most recent 2019 test results

9Next-gen Firewall (NGFW)

Next-gen Intrusion Prevention System (NGIPS)

Data Centre IPS

Data Centre Security Gateway (DCSG)

Breach Prevention System (BPS)

Breach Detection System (BDS)

Advanced Endpoint Protection (AEP)

Web Application Firewall (WAF)

Software-Defined Wide Area Network (SD-WAN)

Palo Alto Networks - 4

Check Point - 3

Cisco - 2

NSS LabsRecommendations

NSS Labs 3rd-Party Certifications

9

SINGLE SIGN-ON USER IDENTIFICATION

▪ FortiAuthenticator can identify users through a varied range of methods and integrate with third-party

LDAP or Active Directory systems to apply group or role data to the user and communicate with

FortiGate for use in Identity based policies. FortiAuthenticator is completely flexible and can utilize

these methods in combination:

» Active Directory polling

» FortiAuthenticator SSO Mobility Agent (FSSO)

» Portals and widgets

» RADIUS accounting login

▪ Strengthens enterprise security by simplifying and

centralising the management of user identity

information

▪ Certificate management for enterprise VPN

deployment

10

SINGLE SIGN-ON USER IDENTIFICATION

11

FORTINET SOLUTION FORM FACTORS

Hardware Appliance

» Dedicated processor chips to

process Content and Network

functions separately

» Ruggedized and dual power

supply options

» Australian stock for FortiCare

hardware replacements

Virtual Machine

» Licensed per CPU or log

capacity

» Worry less about projected

growth and throughput sizing

» Deploy in your own AWS or

Azure cloud to apply true cloud

flexibility

Azure/AWS Marketplace

» Auto Scaling functionality

and FortiGate CloudFormation

template configuration

provides automation based on

resource demand

» Deploy native Azure/AWS

scripting to automatically

push malicious IP/DNS

addresses or load balancing

into dynamic FortiGate policies

12

Total users (Local+Remote) User certificates AUD RRP

FAC-200E

500 2,500 ~$8,400

FAC-400E

2,000 10,000 ~$18,000

FAC-1000D

10,000 50,000 ~$38,000

FAC-2000E

20,000 100,000 ~$50,000

FAC-3000E

40,000 200,000 ~$70,000

PRODUCT MATRIX» FortiAuthenticator

13

SKU DESCRIPTION AUD RRP (perpetual)

FortiToken app

FTM-ELIC-5

5 device codes for one-time password

tokens for iOS and Android mobile

devices. Perpetual licenses.~$475 (~$95 ea)

FortiToken physical

FTK-200-5 (keychain)

FTK-220-5 (credit card)

5 one-time password physical token in

keychain style or credit card style.

Perpetual licenses.~$490 (~$98 ea)

FortiToken dongle

FTK-300-5 5 USB dongles for PKI certificate and

client software. Perpetual license~$530 (~$106 ea)

PRODUCT MATRIX» FortiToken

14

Secure Access

Simplified, consolidated

management for your entire

infrastructure

Sales Scenario

“I don’t see what the problem

is, why should I buy this two-

factor stuff when I haven’t

heard staff complain?”

16

Cannot see the use case for MFA and SSO

▪ People usually buy an alarm after they have been robbed the first time

» Prevention is always better than cure

▪ Staff have probably already formed unsafe habits like simple passwords and storing passwords in a

notepad.txt document on the desktop

» Not being able to see air doesn’t mean its not there

▪ Productivity could increase with ease of

secure accessibility to CRM and database

systems

» Many staff keep their notes or communication in

the system that is easiest to access

▪ MFA doesn’t just help to protect from

external hackers, often data leaks are

performed from the enemy within

» MFA alerts notify you if someone has your

password and is attempting to login from a new

device

Sales Scenario

“We looked at your Fortinet

solution but it seems very

expensive when we can use

free tools and update our HR

orientation guide”

18

Using free tools to achieve MFA or some SSO

▪ Security audits from third parties will always ask what your reporting capabilities are and request a

sample report

» Using a mix of free tools will mean a staff member will need to sit and create the reports

▪ Free tools are targeted by hackers due to their popularity

» When an exploit is found it would be like free cheeseburger day at McDonalds as opposed to free pear day at Coles

▪ Bolting on more security tools may

increase safety to that one area but if they

don’t talk to one other you do not have

wide view of all your risk

» Most free tools work as a single point product in

isolation of other tools

▪ Free tools can have their development

stopped/slowed due to lack of volunteers

or popular tools are often bought

» LogMeIn currently own LastPass, what has that

done to its product development since?

Live Demonstration

Multi-factor authentication

with FortiClient VPN for user

logins

20

FGT-MEL-FortiGate60E, user: jzullo

Live Demonstration

Using FortiToken free for

Microsoft365 (or any other

OATH OTP MFA)

22

Microsoft 365 Admin Console and sign-in

Questions?