We are in the process of trialing duo at our ogranization, and have roughly 100 users who work from the field and they often do not have internet access. These users will typically float between 5 and 10 laptops, depending on the user. I am looking at duo offline access, and If I am understanding it properly, each user would need to set up an offline account for each of these laptops in addition to their normal online account.
I just want to ensure that I am understanding the information as it is presented, or if there is some other way to give them access short of allowing them to fail through when they do not have a connection to the internet.
Thank you in advance for any insight you might share.
You are correct, in the multiple laptop scenario you describe each individual user would need to enroll in Duo offline access on each individual laptop they might use prior to taking the laptop offline (or, as you mentioned, permitting fail open for any user of the laptop).
I believe there were some DUO documentations that states permanent offline access is not recommended. I could not find that documentation any where somehow. Would you have a reference to that documentation?
Here are some blog posts that talk about our approach to “temporary” offline MFA for Windows:
Evidence that offline MFA not intended to be a permanent situation as evidenced by the Prevent offline login after setting for the RDP/Windows Logon Duo application. We do not permit that to be set to an infinite value, and instead enforce a max of 1000 logins or 365 days.