![]() So, are you saying that I can add however many more token users I want to my FG100D for free?. Security generally should not be ' perfect' because that will almost surely impose costs in money and/or usability which are unsustainable to our organizations. We always have to remember, as security people, that security does not exist in a vacuum. My goal is to not have to pay €80/soft token to FortiNet for a service which many other sites offer for free. (That said, it would be good for Google to add a PIN option). FTM (on device) being more secure than GA (on device) is of little concern to me, as if the device itself is lost or stolen, the principal security control is that the employee promptly report the loss/theft and we disable the credential. A token, any token, Google Authenticator or FortiToken Mobile, for us is principally to prevent the theft of a password from being sufficient to gain remote access to our resources. I doubt it, based on the exorbitant price quote I got from my local FortiNet partner for FortiToken licenses this week.Įven if FTM is slightly more secure, we' re not looking for perfect security, we' re looking for useful security against far-remote attacks. So why not use FTM instead of GA?", whether you are saying that I can use FTM for free in whatever quantity I want with my FortiGate 100D appliance. I' m not sure, when you say " FTM version 2. Fortinet is a security company and bakes security into every product. Fortinet does not charge extra for security. They seeds are never visible and they can only be activated one time. The same is not true for FortiToken Mobile because of the way FTM tokens are generated, transmitted and provisioned. Further, GA tokens can be easily stolen through shoulder surfing. I can load the same token on multiple instances of GA thereby breaking the second factor rule. Tokens installed on GA are easily copied. If that factor is able to be copied, it is no longer meeting the definition of 2FA and is not secure in that sense. Their annual soft token cost is $38 PER YEAR.Īs for security, the token in 2FA is the second factor, the " something you have" factor. So an apples-to-apples comparison is not trivial.Ī quick Google search reveals this link to a cost comparison from Yubico, who claims the YubiKey has the lowest total fees and annual total cost per credential. And there are tons of pricing gimmicks and games, such as server costs and annual subscription fees. And there is always a difference between " List" and " street" price. ![]() But you will still have to pay those vendors.Īs for pricing analysis, that is highly proprietary and is not something to share in a public forum. If you don' t want Fortinet tokens fro use with your FortiGate, then use someone else' s, like Vasco, Safenet or RSA. Fortinet is the only vendor that offers two free tokens with their devices. Second, what other firewall/VPN vendor offers free tokens for 2FA? Not Cisco, not Checkpoint, not Juniper, not anyone. OAuth is an open standard for authorization, something completely different. but i' ll try one more time to answer your concerns:įirst of all the, the organization for authentication interoperability standards is OATH, not OAUTH. ![]() The OpenOTP server previously mentioned also provides RADIUS authentication services with multifactor.We' ll just have to agree to disagree. So for your hardware VPN solution, you can authenticate the VPN clients using RADIUS against the MFA server, using a code or PIN plus a TOTP code (as described in the parent post above) as the password. If you want to enable MFA for service under your control (such as Active Directory), then you can implement a 3rd-party solution, such as Duo (for a cloud-based system) or an on-premises, software based system such as Wright () or OpenOTP from RCDevs ().įor devices or services that don't support MFA but do support RADIUS, you can set up an MFA server that also serves RADIUS clients. If you want to enable MFA for other online accounts, you'll be limited to whatever the provider offers - if they offer anything at all. To be clear, that only enables MFA for your Google account. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |