Enable offline authentication


I have enrolled several users but they are configured for failopen on the devices, so when offline they are able to bypass Duo.

If I now enable offline authentication and enrollment in the ‘windows RDP’ application, will this affect them in any way?

Once I have enabled offline access, can I just disable failopen for those users and they will be able to use Duo offline with the bypass codes?

Hi Techie73, once you check the “Enable offline login and enrollment” box on your RDP/Windows Logon application’s properties page in the Duo Admin Panel and save your settings, all users will be prompted to complete offline enrollment the next time they see the Duo prompt for Windows Logon and their system has access to the internet. You can see the expected behavior in our instructional video here (video should start at 4:25):

Note that you can limit offline access to certain Duo groups by checking the “Limit access by groups” box and adding Duo user groups.

To answer your second question, yes, you can disable failopen for those users. They will not be using conventional “bypass codes,” however, they will be using Security Keys or Duo Mobile-generated passcodes.