What I was afraid might happen when the Duo service can’t be contacted for whatever reason, is that people can’t login to a protected resource. Thus inadvertently denying them access.
I had mistakenly thought that if the Duo proxy server itself was unavailable, then the failmode=safe would still allow people to login. But I do see now that if the Duo proxy service is not available for whatever reason, then people are not going to be able to login to a protected resource.
It was discovered that people were able to login to a protected resource even though they didn’t have a Duo account. Thus, they received no Duo push on their mobile app and were able to continue logging in.
I’ll check out that docs link. Thanks.