Use case: Sign into a Windows, MacOS, or Linux system while the user is offline and cannot connect to the SPAS server.
IMPORTANT: The user must have an event-based OTP (OATH HOTP) token to authenticate with SurePassID offline MFA. Time-based OTP (OATH TOTP) tokens and FIDO2/WebAuthn passkeys do not support offline MFA.
How does SurePassID offline MFA work?
Offline MFA employs a methodology similar to that utilized by Active Directory for authenticating users when they are disconnected from the network. Upon enabling offline MFA, the system automatically maintains a cache of local MFA information necessary to authenticate the user without requiring access to the server. The system refreshes this local cache automatically when the user connects online and successfully authenticates to the server.
How big should the local cache be?
The size of the local cache maintained for offline operations is configurable per user, based on the tokens assigned to the user. Determining the appropriate cache size is crucial. It must be large enough to ensure the user does not exhaust the cache while offline but should not be excessively larger than necessary. A simple approach to determine the cache size involves answering the following questions:
- How many times does the user log in per day? Termed logins_per_day.
- How many days will the user remain offline before they can reauthenticate to the server and update the cache? Termed days_offline.
- What is the potential variance (%) in logins_per_day and days_offline? Termed variance. Initially, assume a 20% variance to accommodate various login use case requirements.
To calculate the cache size, use the formula: (logins_per_day × days_offline) + variance.
Examples:
- If the user logs in 15 times daily and remains offline for 3 days with a 20% variance, the cache size would be 54. Calculation: (15 × 3) + (15 × 3 × 0.20).
- If the user logs in between 15 and 20 times daily and remains offline for 3 to 5 days, the calculated cache size would be 120. Calculation: (20 × 5) + (20 × 5 × 0.20).
After some production time, review login data and adjust the cache size accordingly.
Steps to add Offline Tokens for Windows WLM and MacOS/Linux PAM Logins
-
Add the Token and set offline cache size
- Associate an event-based or "offline token" OTP type with the user account.
- Set cache size for the offline token
- By default, the number of offline logins allowed in WLM is set to 30. In PAM the number of offline logins is set to 5 less than the Window Size configured in SPAS.
- This limit can be adjusted by modifying the OTP Window Size in SPAS or setting a buffer in the PAM configuration.
- The OTP Window Size for event-based/offline tokens is 30 and you can increase this as needed in the UI in the SPAS.
-
Enable Offline Support
- Configure offline Windows support in the WLM (Windows Logon Manager) or offline Linux PAM (Pluggable Authentication Module). For WLM, this support can set in the registry directly or using the Configuration Manager Tool (see Offline Security Policy). For the PAM module this is set in the configuration file.
-
Initial Sign-In
- Perform an online sign-in using WLM or PAM while connected to the SPAS server.
- Users with an offline-enabled event-based token will then be able to sign in offline by presenting an OTP from that token.
Cache Refresh Requirement
- Once the offline login limit is reached, the user must go online to refresh the cache. If the user exceeds their offline cache and needs to login, you can provide them with a bypass code that will allow them to access the system until they are back on-line and their cache is refreshed.
- If the bypass code is used, it is important to change the user's bypass code later to prevent them from continually using it in the future.
-
Offline Token Synchronization Caution
- Avoid advancing the token code unnecessarily if the offline login limit is reached.
- Doing so may desynchronize the token with the server, exceeding the allowable limit.
- If this happens, an alternative token or another MFA method will be required.