Windows Logon - No Internet Connection


#1

Hello,
I was wondering if there is any update on using Duo for Windows without an internet connection?
2FA failing to work without an internet connection is a major weakness and defeats one of the major reasons to use the product.


#2

Can you please explain in more detail the scenario you are referring to, so that I may be able to offer assistance.


#4

Presently, if a laptop is taken to a remote location, say an airport that its never been to, when the user powers on the machine, it doesn’t have internet access. The only options presently available in the Duo for Windows application is to “FailOpen,” which means 2FA is not used at all, or “FailClosed,” making the laptop not usable.


#5

Ahh I see, currently we are not using DUO for windows, just all remote access… I wonder if SMS codes would work for your users?


#7

SMS codes don’t apparently work from the logon screen.


#8

Unfortunately at this time the only options for your use case are to “Fail Open” when no network is available or if you use Smart Cards to provide MFA outside of Duo. I know there is a feature request being worked for this scenario,


#9

Hi jmiller,

SMS codes absolutely work with Duo for Windows Logon. Click the “Enter a Passcode” button and you can then type in a passcode you already received via SMS or request new codes.

You are correct that our binary fail open/closed behavior doesn’t account for offline MFA. We will have some news about this in the near future, but in the interim if you allow your users to configure networks from the login screen you should enable fail closed.

When your users are away from their normal location they can use the Networks UI from the icon in the bottom right to connect to an available network, allowing them to complete Duo MFA at login.


#10

Hi Kristina,
I think the SMS was related to being while offline. I hadn’t thought about allowing users to configure networks prior to login unfortunately our users are often in locations without any internet connectivity.


#11

SMS + offline laptop does not work. The laptop has to be online.

I don’t believe you can log into a network from the Windows logon screen that requires a portal login, like at a hotel or airport, since you can’t bring up a browser window while on the logon screen.


#12

Hello, we have also run into this problem. We’d like to use DUO for MFA for local logons but it really needs to have a fallback option when it fails closed.

is there any update on that feature request?

Thank you


#13

Hi Mark,
We don’t usually comment on features still in development, but we are hard at work on a solution for temporary offline access. I think you’ll be pleased to hear that we’ll have a solution next quarter. :slight_smile:


#14

Hi
Is there any update to this yet? I know of a lot of users who are crying out for this!
Thanks


#15

Hi Dooley,

any news on the offline authenticaiton? Is July still the target?

KJ


#16

I can’t comment on a specific month at this time, but development is very much underway and this is still a feature we’re hoping to release in the next quarter time-frame.


#17

It’s August now. Is this feature working yet? Thanks.


#18

Hey marvinj, our offline login with Windows feature is currently in closed beta.


#19

Thanks. I am currently waiting to hear back from sales and engineering reps on getting in on the beta…because we are interested in purchasing the product, but cannot do so if you do not have that functionality in the product.


#20

I too am waiting to sign up as an MSP. This is a critical feature that we cannot possibly do without. The RDP product looks awesome but the offline laptop is a deal killer. I do love what Authpoint does with Watchguard, it creates a QR code on the laptop you can scan with the mobile app and it will generate a one time code to use to login to laptop.


#21

Thanks all for your interest in this feature. The Windows Logon Offline beta is now full (we had strong demand to join); no additional invitations or signups will be accepted.


#22

Hi all! Quick update: General availability for the new Duo WinLogon Offline feature is planned for October. At that time, it will be available as a feature of Duo MFA, Duo Access and Duo Beyond.

You can read more about the feature in our new blog post here: Announcing Offline Multi-Factor Authentication for Windows | Duo Security.