1. Knowledge Base
  2. Windows Logon Manager (WLM)

Which token does Windows Logon Manager cache for offline OTP authentication?

Offline authentication set-up

Windows Logon Manager will only cache the OTPs from the first enabled event-based token assigned to the user. If that token is not currently used by the user (not provisioned on the mobile authenticator app and does not have a hard token) then the WLM will not cache OTPs for a token the user does not have, and offline authentication will fail. 

To correct this situation, make sure the user has only one enabled event-based token assigned to their account. 

Best Practices:

  • Event-based tokens (OATH HOTP) should only be used for offline authentication.
  • Time-based tokens (OATH TOTP) should be used for authenticating in all other systems.