FORTIAUTHENTICATOR · MFA · SSO · PASSWORDLESS · ZERO TRUST

Secure Access & Authentication

FortiAuthenticator eliminates weak password-based authentication — replacing it with MFA (TOTP, push, hardware tokens), enterprise SSO, and passwordless authentication. Integrated with Fortinet Security Fabric for ZTNA policy enforcement.

MFA
Multi-factor authentication for all users and all access points
SSO
Single sign-on across all enterprise applications
Passwordless
FIDO2 and certificate-based passwordless authentication
ZTNA
Zero Trust Network Access enforcement integration

FortiAuthenticator Capabilities

A complete authentication platform covering every access scenario — from VPN MFA to enterprise SSO and passwordless.

Multi-Factor Authentication

FortiAuthenticator supports all MFA methods: TOTP (time-based OTP, Google Authenticator/FortiToken Mobile compatible), push notifications, SMS OTP, hardware tokens (FortiToken 200), and biometric authentication via FIDO2. Enforce MFA for VPN, admin portals, cloud apps, and FortiGate management.

Single Sign-On (SSO)

SAML 2.0, OAuth 2.0, and OIDC-based SSO for all enterprise applications — Microsoft 365, Salesforce, ServiceNow, and custom internal apps. Users authenticate once and access all authorized applications without re-entering credentials. Active Directory and Azure AD integration for centralized user management.

Passwordless Authentication

FIDO2/WebAuthn passwordless authentication using hardware security keys (YubiKey, FortiToken FIDO), biometrics (Windows Hello, TouchID), or mobile authenticator push. Eliminates passwords entirely — removing the #1 attack surface for phishing and credential theft.

RADIUS & LDAP Integration

FortiAuthenticator acts as RADIUS server for VPN (FortiGate, Cisco ASA, Palo Alto), wireless (Aruba ClearPass replacement), and network access. LDAP proxy for application authentication. Integrates with Windows AD, Azure AD, OpenLDAP, and Oracle LDAP.

ZTNA Enforcement

Integration with FortiGate ZTNA policies — users are authenticated by FortiAuthenticator and granted access tags that FortiGate evaluates for zero-trust access decisions. Device posture check results from FortiClient EMS combined with user identity for context-aware access.

Guest & Contractor Management

Self-service guest portal with sponsor-based approval workflow. Time-limited guest accounts with automatic expiry. Contractor access with separate authentication policies. Full audit trail of guest access events for CERT-In and compliance requirements.

FortiAuthenticator MFA Methods

Choose the right authentication method for each user group — from soft tokens for everyday employees to hardware keys for privileged administrators.

TOTP Soft Token

FortiToken Mobile app (iOS/Android), Google Authenticator compatible. 6-digit time-based code, 30-second validity.

Best for: Most users, BYOD environments. No hardware required.

Push Notification

FortiToken Mobile push — one-tap approval on smartphone. Fastest user experience for daily authentication workflows.

Best for: Office workers with smartphones. Requires mobile data/WiFi.

Hardware Token / FIDO2

FortiToken 200 hardware OTP token or FIDO2 security keys (YubiKey, FortiToken FIDO). Highest security tier — phish-proof by design.

Best for: Privileged admins, shared workstations, and users without smartphones.

Why Deploy FortiAuthenticator with Ogma

FortiAuthenticator delivers its full value as part of an integrated Security Fabric deployment — not as a standalone appliance.

Fortinet Security Fabric Expertise

FortiAuthenticator is most powerful when integrated with FortiGate (ZTNA), FortiClient EMS (endpoint posture), and FortiAnalyzer (auth event logging). Ogma deploys FortiAuthenticator as part of complete Security Fabric implementations — not as an isolated authentication silo.

India Enterprise Experience

Deployed FortiAuthenticator for BFSI (RBI two-factor authentication requirements for admin access), manufacturing (multi-site VPN MFA), and government organizations (CERT-In access control guidelines). Understanding of Indian regulatory MFA requirements.

Zero Disruption Migration

Moving from password-only to MFA requires careful change management. Ogma creates phased rollout plans — starting with admin accounts and VPN users, expanding to all application SSO — with user communication and helpdesk preparation to minimize support tickets.

Ogma FortiAuthenticator Deployment Process

A structured five-phase approach that moves your organisation from password-only to full MFA and SSO without disrupting users.

1
Authentication Audit

Map all access points requiring MFA: VPN, admin portals, cloud apps, on-premise applications. Identify current authentication methods and gaps.

2
Architecture Design

Select MFA methods by user type (push notifications for employees, hardware tokens for privileged admins). Design SSO application catalog. Plan RADIUS server placement.

3
AD/LDAP Integration

Connect FortiAuthenticator to Active Directory. Configure user synchronization, group-based policy assignment, and authentication policy rules.

4
Pilot & Training

Deploy MFA for a pilot group (typically IT team first). Test all application flows, VPN, and SSO. Prepare helpdesk FAQ for common user issues (device registration, token loss).

5
Full Rollout

Phased rollout by department or office location. Enable SSO for applications one by one. Transition VPN to RADIUS MFA. Enable passwordless for compatible applications.

Frequently Asked Questions

Common questions about FortiAuthenticator deployment, capabilities, and Indian regulatory compliance.

FortiAuthenticator supports: TOTP soft token (FortiToken Mobile, Google Authenticator), push notification (FortiToken Mobile), SMS OTP, hardware OTP token (FortiToken 200), email OTP, FIDO2/WebAuthn (hardware security keys and biometrics), and client certificate authentication. You can assign different MFA methods to different user groups based on security requirements and user convenience.

Yes. FortiAuthenticator integrates with Azure AD as an LDAP/RADIUS proxy and via SAML for SSO. Users can authenticate with their Azure AD credentials plus FortiAuthenticator MFA — centralizing identity management in Azure AD while adding MFA enforcement for VPN, network devices, and applications that don't natively support Azure AD authentication.

FortiAuthenticator acts as a SAML 2.0 Identity Provider (IdP). When a user accesses a SAML-enabled application (Microsoft 365, Salesforce, custom apps), they're redirected to FortiAuthenticator for authentication (username + MFA). On success, a SAML assertion is returned to the application — granting access without the application needing to verify credentials directly. Users log in once and access all connected applications.

Passwordless authentication replaces the password with a cryptographic credential — a FIDO2 hardware security key (physical device), biometric (fingerprint, face ID), or device-bound passkey. These credentials cannot be phished — they only work on the exact website/application they were registered for. Passwordless is considered significantly more secure than even MFA with passwords, since there is no password to steal or brute-force.

FortiAuthenticator is available as a hardware appliance (FAC-VM-BASE/100D/1000E), virtual machine (for VMware, KVM, Hyper-V), and cloud instance (AWS/Azure). For most Indian enterprise deployments, Ogma recommends VM deployment in your data centre for low latency and data sovereignty. High-availability (HA) active-passive deployment is supported.

FortiAuthenticator integrates with FortiGate ZTNA as the authentication provider. When a user requests access to a ZTNA-protected application, FortiGate redirects authentication to FortiAuthenticator (MFA challenge). On success, FortiGate evaluates user identity, device posture (from FortiClient EMS), and context to grant least-privilege application access. FortiAuthenticator provides the identity component of the Zero Trust access decision.

RBI's IT Framework (2023) requires multi-factor authentication for all privileged access, remote access, and internet-banking administrator access. SEBI's Cyber Security Framework (CSCRF 2023) mandates MFA for all critical system access. FortiAuthenticator generates compliance evidence — authentication logs, failed attempt reports, privileged account MFA audit reports — directly applicable to RBI IT Framework and SEBI CSCRF compliance audits.

Eliminate Password Risk with FortiAuthenticator

Ogma deploys FortiAuthenticator for MFA, SSO, and passwordless authentication — integrated with your FortiGate VPN and ZTNA policies.