Thoughts on FailOpen vs. Offline Access Codes for Windows Logon?

Hello! We’re going to be implementing Duo for Windows Logon in the next couple of months and I wanted to get some thoughts on people’s opinions of FailOpen vs. Offline Access Codes.

In our organization, we have dozens of users who are rotating around to several different computers. That said, since Offline Access seems to need a new key for each computer, I’m leaning towards FailOpen for our users, but I’m wondering how abusable that would be? If somebody cut off access to the Duo Cloud in some way, they’d be able to bypass 2FA.

Just wanted to ask around before making my decision. I appreciate your time!