Offline authentication set-up
Windows Logon Manager will only cache the OTPs from the first enabled event-based token assigned to the user. If that token is not currently used by the user (not provisioned on the mobile authenticator app and does not have a hard token) then the WLM will not cache OTPs for a token the user does not have, and offline authentication will fail.
To correct this situation, make sure the user has only one enabled event-based token assigned to their account.
Best Practices:
- Event-based tokens (OATH HOTP) should only be used for offline authentication.
- Time-based tokens (OATH TOTP) should be used for authenticating in all other systems.