Fail Open/Close and Offline Mode


First of all I’m sure this has come up frequently so apologies if I’m asking something that has been answered, and I just didn’t find it. I’m trying to wrap my head around the fail modes, and their relationship with offline mode.

My understanding with failopen and failclose, is they define behavior with the Duo cloud service is not available - Failopen not prompting for MFA, and failclose will deny login. And my understanding of Offline mode, is the ability to use a passcode when the Duo service isn’t available.

Using RDP as an example, only administrators in our org RDP to servers. We are good with denying RDP access to servers if Duo is not available, but, still want the ability to login to servers directly via console if there is a need, if Duo is not reachable. Is this possible? And does offline mode work if the Duo service is not available?

EDIT: A related question, we have a couple of accounts that are shared by multiple users. For these accounts, we’ve associated each users’s phone to those accounts. How does that work with Offline mode - would each user be able to setup offline acdcess using their phones to use these shared accounts, or, would only one phone/device be able to use it?


One piece that I forgot to mention is that we’re using the authentication proxy, and I see that is also has a configurable fail mode.

Offline access is only available today for Duo Authentication for Windows Logon. Each user who wants to be able to use offline access needs to set it up.

  1. Perform an online Duo login
  2. Enroll in offline access
  3. User can log in when the system can’t reach Duo.

Offline access and fail open should be mutually exclusive. If the application is configured to fail open when it can’t reach Duo, it will never try to use offline access for anyone, and will let everyone in without 2FA.

Users can only register one offline authenticator so the shared account scenario you describe isn’t supported.

With fail close, when Duo can’t be reached then the users who set up offline access can use it to log in, and users who did not can’t log in.

There is no offline access for RADIUS and LDAP integrations that use the Authentication Proxy; your choices are to fail open or to fail closed.

1 Like