Things to consider when the SPAS(MFA) Server is offline in an on-premises installation

If you have an on-premises server and it is offline, here are things to consider with regard to continuation of logins for Windows and Linux systems

  • Offline tokens for WLM logins for the last logged in user of a Windows machine where the user previously signed in successfully online will work up to the OTP Window size defined for the token in the SPAS (default of 30; max of about 180 in the UI)
  • We do cache offline OTPs for any user who has successfully signed into the computer with an offline token in their account at the time but bear in mind that if the token is used elsewhere and the counter is increment past the cache value, there is a chance that when the user attempts to login offline on a previously used machine the login will fail due to the token's counter being well past the cached OTPs on the computer.
  • Bypass code, if present on the machine, can be used in place of the OTP/Passcode as needed if the end user is made aware of it
  • Bypass codes can be different on different machines, i.e. servers could be set up with one code while laptops have another, etc.
  • Bypass codes have to be generated by the WLM config tool and then saved to the registry
  • Once the bypass code is in the registry, the value can be copied from there and put into a .reg file or in a GPO to be distributed to other systems
  • Bypass codes should be changed if end users are given the codes and no longer need to use them after the return to service of the SPAS(MFA) server
  • Time based tokens cannot be used offline
  • Linux PAM offline is available with the most recent Linux PAM
  • Offline RADIUS/LDAP/SAML2 is not currently possible
  • Offline FIDO2 is not yet implemented
  • You can delete the credential provider filter in the registry of a Windows machine to disable the MFA requirement, and this can be done via a GPO
  • Counters on event-based tokens will be ahead of the counter info for the tokens in the backed-up copy of the DB so there may be a need to resync event-based tokens after return to service for those tokens used heavily while offline
  • Time-based tokens will function as expected after return to service