Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
248
Views
0
Helpful
1
Replies

Bypass When Computer Is Offline (No Internet)

nathan-martins
Level 1
Level 1

‎04-23-2025 05:59 AM

Hi everyone, I'm facing an issue—or maybe it's just a missing configuration.

We have Duo installed on company computers, and the users have already enrolled in the Duo Mobile app. However, they haven't completed the offline access setup. So when a computer is offline, the user can still enter their company login and password, and Duo authentication is not prompted. This basically creates a kind of bypass.

I'm wondering if there's a configuration I'm missing? I couldn't find any policy setting that forces users to complete the offline enrollment.

Has anyone dealt with this before or has any suggestions?

Below is an image of the screen that prompts users to set up offline access, but they just click the “X” and skip it. I'd like to force users to complete the offline setup.

Thanks in advance!

Preview file
73 KB
0 Helpful
1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

‎04-23-2025 09:23 AM - edited ‎04-23-2025 09:25 AM

>So when a computer is offline, the user can still enter their company login and password, and Duo authentication is not prompted. This basically creates a kind of bypass.

It sounds like you might have set the fail mode to "fail open" (allow login without MFA when offline) which isn't recommended if you only want users who set up offline access to be able to log in whilst offline.

https://duo.com/docs/rdp#offline-access-requirements

"Disable the Bypass Duo authentication when offline (FailOpen) option. If you enabled FailOpen during installation, you can change it in the registry."

https://duo.com/docs/rdp-faq#how-does-offline-access-in-duo-for-windows-logon-interact-with-fail-mode

"Users who have not activated offline access are subject to the fail mode setting e.g. if set to fail open, a user who did not activate offline access would be able to log in without completing Duo offline authentication. Disable "fail open" if you want to prevent users who did not activate offline access from logging in when the computer is offline."

ETA there is not a way to force users to complete offline setup today. Please contact your Duo Care team/account exec or Duo support to submit this as a feature request.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents