Windows Offline Access
Passly supports the Windows logon agent working in an offline mode. This means the user can log into Windows using their existing authenticator for an Administrator set duration with no internet connection.
Note: Offline mode only works for the last Passly Authenticated User.
Passly may be deployed following this guide to a single machine or in bulk via this guide.
Note: This functionality is only available to iOS/Android Authenticator users. This will not work with Yubikeys.
Note: Windows Logon agent offline access allows you to enforce 2FA on protected devices without being connected to the Internet. Requires Agent Installer version 6.0.2.0 or greater.
Login process flow
- When the user first logs into Windows post agent being enabled for offline access they will experience the following automatically.
- The first time a Passly user logs into Windows and connects with an active internet connection the users token will be converted from a TOTP (time based) token to an HOTP (session based) token.
- User can disable their WiFi button / disconnect any network cables and log out of Windows.
- With the machine offline the user can initiate the normal login. User will be prompted for Windows Username/Password. *PUSH" notifications will fail however the user will see a new prompt offering to accept a one time passcode. Entering the 8 digit OTP will allow the user to login.
Note: You can also enter the preset Override Password in the OTP field.
Note: The user will have the ability to login using their one-time passcodes generated from the Passly authenticator.
TOTP Tokens explained.
HOTP Tokens explained.
Ability to Enable Offline Mode
The Windows Logon agent supports Offline access when enabled by an Administrator.
Note: This feature can only be enabled for a maximum of 42 Days. Once the timer has expired the only way to login will be to use the preset override password or bring the machine back online.
Admin Enabling Offline mode
- Access your Passly tenant https://"customer".passly.com
Note: This action can only be performed by members of the following Roles.
Administrator
Security Auditor - Select Auth Manager > Agents.
- Select the Specific Agent.
- Scroll down to Windows Logon Configuration. Select Edit.
- Select enable on Allow Offline Access.
Note: We recommend always settings an Override password as a backup. Users may supply this password in the event that their 2FA credentials can't be verified. This password can be used in lieu of the user's Authentication Code. - Enter the desired maximum date. This is an arbitrary decision that the Administrators are making up to a maximum of 42 days.
Note: After the maximum duration expires the user will need to be provided with the preset Override Password or bring the machine online.