Things to consider when the SPAS(MFA) Server is offline in an on-premises installation
If you have an on-premises server and it is offline, here are things to consider with regard to continuation of logins for Windows and Linux systems
- Offline tokens for WLM logins for the last logged in user of a Windows machine where the user previously signed in successfully online will work up to the OTP Window size defined for the token in the SPAS (default of 30; max of about 180 in the UI)
- Bypass code, if present on the machine, can be used in place of the OTP/Passcode as needed if the end user is made aware of it
- Bypass codes can be different on different machines, i.e. servers could be set up with one code while laptops have another, etc.
- Bypass codes have to be generated by the WLM config tool and then saved to the registry
- Once the bypass code is in the registry, the value can be copied from there and put into a .reg file or in a GPO to be distributed to other systems
- Bypass codes should be changed if end users are given the codes and no longer need to use them after the return to service of the SPAS(MFA) server
- Time based tokens cannot be used offline
- Linux PAM offline is available with the most recent Linux PAM
- Offline RADIUS/LDAP/SAML2 is not currently possible
- Offline FIDO2 is not yet implemented
- You can delete the credential provider filter in the registry of a Windows machine to disable the MFA requirement, and this can be done via a GPO
- Counters on event-based tokens will be ahead of the counter info for the tokens in the backed-up copy of the DB so there may be a need to resync event-based tokens after return to service for those tokens used heavily while offline
- Time-based tokens will function as expected after return to service