Duo Offline on Servers

So this came up in a discussion with my fellow IT folks here in our office and I figured I would put it out there for the community and see other folks opinions on it. We have DUO on multiple servers and one of the things we would really love to see is the ability to set up an “Offline” access to the server that is not tied to a specific person. For example, if we set up a Yubikey as an offline authenticator on a server, have that be available to anyone logging into that server in case of internet access not being available (say an Internet Outage). It isn’t a huge deal but it is something that would make it nicer when installing DUO on servers, that instead of having X number of “offline codes” in the app for the various servers, if there was the ability to have a yubikey plugged into the server that could be used as an offline authenticator for anyone with the ability to login to the server when the internet is out.

Hi @VanguardSam,

Could you be more specific about what you mean by “servers”? If you are using Duo for Windows Logon and RDP, it is possible to set up offline access using a supported U2F key as you describe here. Read more about how to set this up in the guide here: Duo Authentication for Windows Logon and RDP | Duo Security

From a security standpoint, however, note that having a single security key that many people have access to may not be an ideal security practice.

For more information about completing authentication with Duo without Internet access or network signal (aside from offline access for Duo Authentication for Windows Logon), please see this Duo Knowledge Base article.

By servers, I mean machines running Server 08R2,2012,2012R2,2016,2019. For example a Domain Controller running Server 2012R2 with Duo installed for use with Windows Logon and RDP, be able to enroll a single Yubikey that works across all users who are able to login to the machine if it is offline. Reading from the documentation it specifically states " Note that only one authentication device — a single phone with Duo Mobile or a single security key — may be activated for offline login. Activating a second device via the reactivation process deactivates the first." So that would imply that after having enrolled a Yubikey for a user that the Yubikey is enrolled for everyone, BUT when another user (who didnt enroll the yubikey offline) they are then prompted to enroll an offline device, which reading the above line from the documentation would imply that IF they do that it breaks the original enrollment of the Yubikey for offline.

Ah okay, thank you for clarifying.

So that would imply that after having enrolled a Yubikey for a user that the Yubikey is enrolled for everyone

No, that is not correct. When you enroll a user in Offline Access for Duo Authentication for Windows Logon and activate a Yubikey as that user’s device, the device applies only to that specific user account. If you were to enroll another admin as a second user and activate that same Yubikey as the second user’s device, the first user’s device is unaffected. Both users can use the same Yubikey to complete authentication.

Activating a second device via the reactivation process deactivates the first.

This means that if a user with offline access who has already activated an authentication device attempts to activate a second device on their user account, the first device will be deactivated. So, let’s say you activate a Yubikey for your user account, and later you activate a smartphone for that same user account, the Yubikey would then be deactivated and you could only use your smartphone to complete authentication.

To summarize, each user can have only one device activated for their account with Offline Access for Duo Windows Logon, but multiple users may activate the same device for their individual accounts. Again, please note that that is not an ideal security practice.

2 Likes

Great response @Amy - you managed to clarify a few of my outstanding questions there

Thank you, @dean! I’m glad you were able to find the answers you needed. :slight_smile: If you have any remaining questions we could help with, please don’t hesitate to ask in a new thread.