A second factor for your VPN logins (MFA)
Add multi-factor authentication with SMS OTP and TOTP to FortiGate SSL-VPN and RADIUS-speaking systems. Works with your own VPN — Captivo is the authentication provider.
Start FreeHow it works
1. Add the gateway
Define your VPN gateway from the panel; choose RadSec (TLS) or UDP transport.
2. Invite users
Send TOTP enrollment invites; users scan the QR code with Google or Microsoft Authenticator.
3. Point the VPN to RADIUS
Point your FortiGate to Captivo RADIUS using the ready-made CLI command card.
4. Login with a second factor
On VPN login, the user enters an SMS code or Authenticator code after the password.
Why Captivo VPN MFA?
- Second factor with SMS OTP and TOTP (Google / Microsoft Authenticator)
- RadSec (TLS 2083) and UDP — encrypted or classic RADIUS transport
- Gateway and user management from the panel; password, account lockout and QR enrollment invite
- A log of every login attempt and a ready-made CLI command card for FortiGate
- Denies access if the directory server is unreachable (fail-closed security)
- Works with your own VPN — no need to replace your existing VPN
Frequently Asked Questions
Which VPNs does it work with?
It works with systems that authenticate via RADIUS; a ready-made setup card is provided for FortiGate SSL-VPN. The VPN authenticates the user against Captivo RADIUS, and Captivo applies the second factor.
Which second-factor methods are available?
One-time code by SMS (OTP) and TOTP (apps like Google Authenticator, Microsoft Authenticator). Users enroll TOTP via a QR code.
What is RadSec and why does it matter?
RadSec encrypts RADIUS traffic with TLS (TCP 2083). It protects authentication traffic traversing the internet; classic UDP RADIUS is also supported.
What happens if the directory server is unreachable?
The system is fail-closed: if authentication can't be performed, access is denied, so no security gap opens.
Protect your VPN logins with MFA
Try SMS- and TOTP-based second factor that works with your own VPN, for free.
Start Free