Offline Authentication without Bypass enabled


#1

I have a client that works offsite and doesn’t always have internet right away when logging in so the Duo Authorization fails and does not let them into the PC. As a work around we have been enabling the local bypass in the Registry of the PC and then have a GPO that disables the local bypass the next time they log into the LAN. Is there a way for users to authenticate through DUO while their computers are offline?


#2

No, sorry, Duo’s Windows Logon client must have connectivity to our cloud service to perform 2FA.

There is a feature request for offline authentication (where the application could cache successful MFA for a defined period and permit offline logon for that previously authenticated user). Please contact your customer success manager or Duo Support to learn more.


#3

Has there been any update in the past 5 months on this? We too have been trying this for a company. Thanks for any help that you can offer.


#4

We are looking into 2FA solution for our company and would also like to understand offline use case. It’s pretty common for our users to be logging into their laptops without internet access (e.g. on an airplane or at a customer facility). If we allow bypass of 2FA when on the road, we are bypassing 2FA when its most useful and when the hardware is at most risk for getting stolen. Only requiring 2FA when connected to the internet for a laptop logon is same as not requiring 2FA at all - the laptop can simply be taken out of the location with network access to bypass 2FA.

What’s Duo’s recommendation on deploying Duo 2FA for Windows laptops when travel and logging in while disconnected from the internet is a common use case?


#5

We are investigating solutions for protected offline access on Windows systems. For now, the only option for offline login remains using Duo’s fail open mode to permit access while the system can’t contact Duo.

If data compromise from stolen laptops is a concern, Duo should only be one part of your total endpoint solution. Physical access to hardware trumps almost all access controls. Be sure to deploy full-disk encryption to protect your information.


#6

Hi Kristina, has there been any updates on this as we are an MSP and have clients with roaming devices that sometimes don’t have an active internet connection. The offline access that’s currently provided by Duo doesn’t really fit our security model.

Is there potentially a way to use the yubikey offline with duo?


#7

As before, we are still exploring methods for offline 2FA for Windows systems. Please contact your account or partner rep for more detailed roadmap information.


#8

Hi Kristina, I am only trialing Duo as of now so who would be the best person to speak to?


#9

If you’re trialing Duo you may have been contacted by one of our sales representatives? That would be a good person to talk to about this, or you can still contact Support and say you want to add your support to an existing feature request.


#10

Does the “Send SMS Passcodes…” works for offline ?