Enabling 2FA When Windows Is Offline


Windows Offline Authentication will allow Windows users to login using 2FA even while not connected to the internet. This will use the existing mobile application to allow the user to enter a security One Time PIN (OTP) which will be validated by the Passly agent on the user’s Windows machine. 

Enabling Offline Mode

To enable Offline Mode you will need to make sure that your Policy is configured for 2FA and that the Agent supports Offline Mode.

Configuring the Policy

  • Edit your policy
  • Ensure that it is configured to Require 2FA


Configure the Agent

  • Edit the Agent (or add a new one)
  • Enable (check) the Allow Offline Access


  • Configure the number of days to allow offline access. This will determine how long after the user's last online login they will be able to login offline. Valid values range from 1-42. After the time has expired, they will not be able to login offline without first logging in while online.
  • It is recommended to enable and set up an Override Password. This will allow you to have a password that can be given to the user and entered in place of the OTP and allow the user access to their machine. It is recommended that you change this password after it has been given out and used.

Deploying the Agent

The new agent will need to be deployed to any Windows machine that you would like to have offline mode enabled.

  • Go to the Agent
  • You can edit the agent and set up a Sync Frequency (default 1 hour). This will determine how frequently the agent checks back for updates to the policy (e.g. new override password).


  • You can download the installer from here and get the ID and Key for installation
  • Deploy the agent as you would normally

Logging in Offline

For the user, logging in while offline is no different than while online. The only change is they will not get a Push Notification but will have to look up their OTP on their mobile device. The OTP is a revolving number that updates every 60 seconds. When prompted for the OTP, enter the one from the mobile device. The Passly agent will validate this, and ensure they have offline access and are within the time allowed.

If they successfully enter their credentials, and it is within the time allowed for offline access, they will be logged in normally. If not, they will receive an error that their offline access has expired and they need to connect to the internet to access their machine.


In this case, they will have to either connect to the internet to login or they can use the Override Password if an administrator has provided it to them.

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section