Things to consider when the SPAS(MFA) Server is offline in an on-premises installation

If you have an on-premises server and it is offline, here are things to consider with regard to continuation of logins for Windows and Linux systems

  • Offline tokens for WLM logins for the last logged in user of a Windows machine where the user previously signed in successfully online will work up to the OTP Window size defined for the token in the SPAS (default of 30; max of about 180 in the UI)
  • Bypass code, if present on the machine, can be used in place of the OTP/Passcode as needed if the end user is made aware of it
  • Bypass codes can be different on different machines, i.e. servers could be set up with one code while laptops have another, etc.
  • Bypass codes have to be generated by the WLM config tool and then saved to the registry
  • Once the bypass code is in the registry, the value can be copied from there and put into a .reg file or in a GPO to be distributed to other systems
  • Bypass codes should be changed if end users are given the codes and no longer need to use them after the return to service of the SPAS(MFA) server
  • Time based tokens cannot be used offline
  • Linux PAM offline is available with the most recent Linux PAM
  • Offline RADIUS/LDAP/SAML2 is not currently possible
  • Offline FIDO2 is not yet implemented
  • You can delete the credential provider filter in the registry of a Windows machine to disable the MFA requirement, and this can be done via a GPO
  • Counters on event-based tokens will be ahead of the counter info for the tokens in the backed-up copy of the DB so there may be a need to resync event-based tokens after return to service for those tokens used heavily while offline
  • Time-based tokens will function as expected after return to service