https://community.cisco.com/t5/managing-users/duo-offline-access/m-p/4880024#M526 <DIV class="duo-migrated-content"><P>Here are some blog posts that talk about our approach to “temporary” offline MFA for Windows:</P> <ASIDE class="onebox allowlistedgeneric" data-onebox-src="https://duo.com/blog/offline-multi-factor-authentication-for-windows-is-now-available"> <HEADER class="source"> <span class="lia-inline-image-display-wrapper" image-alt="2X_5_519ce45665d8dce98a5273c38d3c937763bb406a.png" style="width: 32px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/190603i0796151EE974C08C/image-size/large?v=v2&amp;px=999" role="button" title="2X_5_519ce45665d8dce98a5273c38d3c937763bb406a.png" alt="2X_5_519ce45665d8dce98a5273c38d3c937763bb406a.png" /></span> <A href="https://duo.com/blog/offline-multi-factor-authentication-for-windows-is-now-available" target="_blank" rel="noopener">Duo Security</A> </HEADER> <ARTICLE class="onebox-body"> <DIV class="aspect-image" style="--aspect-ratio:690/354;"><span class="lia-inline-image-display-wrapper" image-alt="2X_2_224652e492722297f034d88698acf0055ddbf2db.jpeg" style="width: 690px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/191073i9E1CD425B08F5933/image-size/large?v=v2&amp;px=999" role="button" title="2X_2_224652e492722297f034d88698acf0055ddbf2db.jpeg" alt="2X_2_224652e492722297f034d88698acf0055ddbf2db.jpeg" /></span></DIV> <H3><A href="https://duo.com/blog/offline-multi-factor-authentication-for-windows-is-now-available" target="_blank" rel="noopener">Offline Multi-Factor Authentication for Windows is Now Available</A></H3> <P>We’re pleased to announce the general availability of our offline MFA for Windows laptops, desktops and servers. Duo’s offline MFA for Windows allows end users to perform 2FA even while they are temporarily disconnected from the internet.</P> </ARTICLE> <DIV class="onebox-metadata"> </DIV> <DIV style="clear: both"></DIV> </ASIDE> <ASIDE class="onebox allowlistedgeneric" data-onebox-src="https://duo.com/blog/building-windows-offline"> <HEADER class="source"> <span class="lia-inline-image-display-wrapper" image-alt="2X_5_519ce45665d8dce98a5273c38d3c937763bb406a.png" style="width: 32px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/190603i0796151EE974C08C/image-size/large?v=v2&amp;px=999" role="button" title="2X_5_519ce45665d8dce98a5273c38d3c937763bb406a.png" alt="2X_5_519ce45665d8dce98a5273c38d3c937763bb406a.png" /></span> <A href="https://duo.com/blog/building-windows-offline" target="_blank" rel="noopener">Duo Security</A> </HEADER> <ARTICLE class="onebox-body"> <IMG src="https://duo.com/blog/building-windows-offline" class="thumbnail" width="" height="" /> <H3><A href="https://duo.com/blog/building-windows-offline" target="_blank" rel="noopener">Building Windows Offline</A></H3> <P>When our customers came to us with a desire to support offline multi-factor authentication for Windows, we started off by focusing on the fundamental technical problem to be solved. How can we trust enrollment and continued authentication from a...</P> </ARTICLE> <DIV class="onebox-metadata"> </DIV> <DIV style="clear: both"></DIV> </ASIDE> <P>Evidence that offline MFA not intended to be a permanent situation as evidenced by the <A href="https://duo.com/docs/rdp#offline-access:~:text=Prevent%20offline%20login%20after"><STRONG>Prevent offline login after</STRONG></A> setting for the RDP/Windows Logon Duo application. We do not permit that to be set to an infinite value, and instead enforce a max of 1000 logins or 365 days.</P></DIV> Mon, 06 Feb 2023 22:12:07 GMT DuoKristina 2023-02-06T22:12:07Z https://community.cisco.com/t5/managing-users/duo-offline-access/m-p/4880020#M522 <DIV class="duo-migrated-content"><P>Good afternoon,</P> <P>We are in the process of trialing duo at our ogranization, and have roughly 100 users who work from the field and they often do not have internet access. These users will typically float between 5 and 10 laptops, depending on the user. I am looking at duo offline access, and If I am understanding it properly, each user would need to set up an offline account for each of these laptops in addition to their normal online account.</P> <P>I just want to ensure that I am understanding the information as it is presented, or if there is some other way to give them access short of allowing them to fail through when they do not have a connection to the internet.</P> <P>Thank you in advance for any insight you might share.</P></DIV> Mon, 30 Jan 2023 18:41:05 GMT https://community.cisco.com/t5/managing-users/duo-offline-access/m-p/4880020#M522 fordh 2023-01-30T18:41:05Z https://community.cisco.com/t5/managing-users/duo-offline-access/m-p/4880021#M523 <DIV class="duo-migrated-content"><P>You are correct, in the multiple laptop scenario you describe each individual user would need to enroll in Duo offline access on each individual laptop they might use prior to taking the laptop offline (or, as you mentioned, permitting fail open for any user of the laptop).</P></DIV> Tue, 31 Jan 2023 20:35:32 GMT https://community.cisco.com/t5/managing-users/duo-offline-access/m-p/4880021#M523 DuoKristina 2023-01-31T20:35:32Z https://community.cisco.com/t5/managing-users/duo-offline-access/m-p/4880022#M524 <DIV class="duo-migrated-content"><P>I believe there were some DUO documentations that states permanent offline access is not recommended. I could not find that documentation any where somehow. Would you have a reference to that documentation?</P></DIV> Mon, 06 Feb 2023 19:16:24 GMT https://community.cisco.com/t5/managing-users/duo-offline-access/m-p/4880022#M524 amiguel 2023-02-06T19:16:24Z https://community.cisco.com/t5/managing-users/duo-offline-access/m-p/4880023#M525 <DIV class="duo-migrated-content"><ASIDE class="quote group-Level_Up_Certified" data-username="amiguel" data-post="3" data-topic="14040"> <DIV class="title"> <DIV class="quote-controls"></DIV> <IMG width="20" height="20" src="https://community.cisco.com/legacyfs/online/ciscoduo/letters/a_958977.png" style="display : inline;" /> amiguel:</DIV> <BLOCKQUOTE> <P>lieve there were some DUO documentations that states permanent offline access is not recommended. I could not find that documentation any where somehow. Would you have a reference to that documentation?</P> </BLOCKQUOTE> </ASIDE> <P>And that is fine. The locations without access to the interet arent the norm, but they are common. I am trying to think worst case scenarios as we trial this product.</P></DIV> Mon, 06 Feb 2023 19:31:56 GMT https://community.cisco.com/t5/managing-users/duo-offline-access/m-p/4880023#M525 fordh 2023-02-06T19:31:56Z https://community.cisco.com/t5/managing-users/duo-offline-access/m-p/4880024#M526 <DIV class="duo-migrated-content"><P>Here are some blog posts that talk about our approach to “temporary” offline MFA for Windows:</P> <ASIDE class="onebox allowlistedgeneric" data-onebox-src="https://duo.com/blog/offline-multi-factor-authentication-for-windows-is-now-available"> <HEADER class="source"> <span class="lia-inline-image-display-wrapper" image-alt="2X_5_519ce45665d8dce98a5273c38d3c937763bb406a.png" style="width: 32px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/190603i0796151EE974C08C/image-size/large?v=v2&amp;px=999" role="button" title="2X_5_519ce45665d8dce98a5273c38d3c937763bb406a.png" alt="2X_5_519ce45665d8dce98a5273c38d3c937763bb406a.png" /></span> <A href="https://duo.com/blog/offline-multi-factor-authentication-for-windows-is-now-available" target="_blank" rel="noopener">Duo Security</A> </HEADER> <ARTICLE class="onebox-body"> <DIV class="aspect-image" style="--aspect-ratio:690/354;"><span class="lia-inline-image-display-wrapper" image-alt="2X_2_224652e492722297f034d88698acf0055ddbf2db.jpeg" style="width: 690px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/191073i9E1CD425B08F5933/image-size/large?v=v2&amp;px=999" role="button" title="2X_2_224652e492722297f034d88698acf0055ddbf2db.jpeg" alt="2X_2_224652e492722297f034d88698acf0055ddbf2db.jpeg" /></span></DIV> <H3><A href="https://duo.com/blog/offline-multi-factor-authentication-for-windows-is-now-available" target="_blank" rel="noopener">Offline Multi-Factor Authentication for Windows is Now Available</A></H3> <P>We’re pleased to announce the general availability of our offline MFA for Windows laptops, desktops and servers. Duo’s offline MFA for Windows allows end users to perform 2FA even while they are temporarily disconnected from the internet.</P> </ARTICLE> <DIV class="onebox-metadata"> </DIV> <DIV style="clear: both"></DIV> </ASIDE> <ASIDE class="onebox allowlistedgeneric" data-onebox-src="https://duo.com/blog/building-windows-offline"> <HEADER class="source"> <span class="lia-inline-image-display-wrapper" image-alt="2X_5_519ce45665d8dce98a5273c38d3c937763bb406a.png" style="width: 32px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/190603i0796151EE974C08C/image-size/large?v=v2&amp;px=999" role="button" title="2X_5_519ce45665d8dce98a5273c38d3c937763bb406a.png" alt="2X_5_519ce45665d8dce98a5273c38d3c937763bb406a.png" /></span> <A href="https://duo.com/blog/building-windows-offline" target="_blank" rel="noopener">Duo Security</A> </HEADER> <ARTICLE class="onebox-body"> <IMG src="https://duo.com/blog/building-windows-offline" class="thumbnail" width="" height="" /> <H3><A href="https://duo.com/blog/building-windows-offline" target="_blank" rel="noopener">Building Windows Offline</A></H3> <P>When our customers came to us with a desire to support offline multi-factor authentication for Windows, we started off by focusing on the fundamental technical problem to be solved. How can we trust enrollment and continued authentication from a...</P> </ARTICLE> <DIV class="onebox-metadata"> </DIV> <DIV style="clear: both"></DIV> </ASIDE> <P>Evidence that offline MFA not intended to be a permanent situation as evidenced by the <A href="https://duo.com/docs/rdp#offline-access:~:text=Prevent%20offline%20login%20after"><STRONG>Prevent offline login after</STRONG></A> setting for the RDP/Windows Logon Duo application. We do not permit that to be set to an infinite value, and instead enforce a max of 1000 logins or 365 days.</P></DIV> Mon, 06 Feb 2023 22:12:07 GMT https://community.cisco.com/t5/managing-users/duo-offline-access/m-p/4880024#M526 DuoKristina 2023-02-06T22:12:07Z