Enable 2FA for Windows machines protected with the Windows Credential Provider while offline.
Enhancements
DirSync: indicate "No", rather than hide "Synchronize Changes".
AuthAnvil needs to configure server garbage collecting to improve performance.
Bug Fixes
AAoD: Unable to set a custom service account installing DirSync.
AuthAnvil server slowdowns in US and EU 30 July 2018.
Windows Credential Provider - Override group dropdown shows in wrong place.
Dirsync Agent 2.2.1.3 User Creation Error - Dirsync Agent 2.2.1.3 fails to install, Error - "There was an issue creating the restricted sync user. Please run the configuration tool again."
K1 onboarding - Password not getting set correctly for new AA tenant from K1 onboarding.
Windows Offline Mode
Overview:
Windows Offline Authentication will allow Windows users to login using 2FA even while not connected to the internet. This will use the existing mobile application to allow the user to enter a security One Time PIN (OTP) which will be validated by the AuthAnvil agent on the user’s Windows machine.
Enabling Offline Mode:
To enable Offline Mode you will need make sure that your Policy is configured for 2FA and that the Agent supports Offline Mode.
Configuring the Policy:
Edit your policy
Ensure that it is configured to Require 2FA
Configure the Agent
Edit the Agent (or add a new one)
Enable (check) the Allow Offline Access
Configure the number of days to allow offline access. This will determine how long after the users last online login they will be able to login offline. Valid values range from 1-42. After the time has expired, they will not be able to login offline without first logging in while online.
It is recommended to enable and setup an Override Password. This will allow you to have a password that can be given to the user and entered in place of the OTP and allow the user access to their machine. It is recommended that you change this password after it has been given out and used.
Deploying the Agent
The new agent will need to be deployed to any Windows machine that you would like to have offline mode enabled.
Go to the Agent
You can edit the agent and setup a Sync Frequency (default 1 hour). This will determine how frequently the agent checks back for updates to the policy (e.g. new override password).
You can download the installer from here and get the ID and Key for installation
Deploy the agent as you would normally
Logging in Offline
For the user, logging in while offline is no different than while online. The only change is they will not get a Push Notification, but will have to look up their OTP on their mobile device. The OTP is a revolving number that updates ever 60 seconds. When prompted for the OTP, enter the one from the mobile device. The AuthAnvil agent will validate this, and ensure they have offline access and are within the time allowed.
If they successfully enter their credentials, and it is within the time allowed for offline access, they will be logged in normally. If not, they will receive an error that their offline access has expired and they need to connect to the internet to access their machine.
In this case, they will have to either connect to the internet to login or they can use the Override Password if an administrator has provided it to them.
