What are the alternative OTP options for Air-gapped Facilities?

Environment: Air-gapped facility, 24/7 ops, no helpdesk on 2nd & 3rd shift, no cellphone or internet service

Scenario: Primary token is an OTP hard token, left at home or lost by employee


  1. The supervisor on the night shift has the ability to serve as an SP Helpdesk and can provide the employee with a temporary OTP if needed.
  2. The supervisor can assign a spare token to the employee by securely storing it in a locked drawer or cabinet. This can be done using the supervisor's SP Helpdesk role.
  3. An alternative solution would be for a supervisor who has a SP Helpdesk Role to temporarily share their token with the employee. This would enable the employee to log in using the supervisor's token for the time being.
  4. If the facility is using WLM, the supervisor can give the employee the Master Passcode for their device, which can be obtained from a secured spreadsheet. This will allow the employee to log in. Afterward, the supervisor should inform the IT Helpdesk that the Master Passcode for that workstation needs to be reset.
  5. To ensure a seamless backup solution, a few additional tokens can be distributed to all employees with SP accounts in the facility. These tokens will serve as backups, eliminating the need to assign a supervisor as a Helpdesk role in the SP Admin panel. The spare tokens can be securely stored in a lockbox until they are needed. When necessary, a supervisor can easily retrieve one of the tokens for a user to log in and then return it safely to the lockbox. This streamlined process provides a reliable solution for employee access without any complications.