Offline authentication

Offline authentication occurs when a user authenticates to Microsoft Windows using Digipass Authentication for Windows Logon while the client computer is not connected to the network or cannot establish a connection to OneSpan Authentication Server. Authentication is performed based on (locally stored and encrypted) offline authentication data (OAD).

The offline authentication data is generated by OneSpan Authentication Server during successful online authentication. It is either limited to a specific time span (time-based) or the number of authentications (event-based). This requires the client to perform online authentication on a regular basis.

You need to enable offline authentication via the OneSpan Authentication Server configuration.

Digipass Authentication for Windows Logon offline authentication

Figure: Digipass Authentication for Windows Logon offline authentication

The user ID, password (optional), and OTP are verified against the offline authentication data. The authentication result is then sent back to Digipass Authentication for Windows Logon on the client computer. The offline authentication data can be used a limited number of times. You can configure that limit via the OneSpan Authentication Server Administration Web Interface.

Digipass Authentication for Windows Logon verifies whether:

  • Offline authentication data is available for the user. Offline authentication data is generated after a successful online authentication if offline authentication is enabled in the relevant Digipass Authentication for Windows Logon client component policy.
  • This offline authentication data is still valid. Offline authentication data is valid for a limited period of time for time-based data, or for a limited number of authentications for event-based data. The time or event limit is defined in the relevant Digipass Authentication for Windows Logon client component policy.
  • The OTP validation succeeds with the offline authentication data.

Although a user can have more than one authenticator assigned, only the first one ever used with Digipass Authentication for Windows Logon has offline authentication data assigned. If the user attempts an offline authentication using another authenticator that has no offline authentication data assigned, Digipass Authentication for Windows Logon will display an authentication error.

If you need to switch offline authentication data support to another authenticator, reset the offline authentication data for the currently used authenticator in the Administration Web Interface and perform an online authentication using the other authenticator immediately afterward.

It is also possible to configure user-specific policy settings for offline authentication. These settings will override those set by the parent policy. For more information, see User-specific authentication policy overrides.

Considerations for disabling offline authentication

Disabling offline authentication for a user has the following implications:

  • OneSpan Authentication Server will not send any new encrypted offline authentication data to the client computer.
  • After offline authentication is disabled, the user will still be able to use offline authentication until the encrypted offline authentication data expires OR until the user performs the next online authentication.

Forcing static password verification

You can enforce static password verification during offline authentication via Digipass Authentication for Windows Logon, by disabling Stored Password Proxy and setting Back-End Authentication to Always in the effective policy.

Forcing OTP use

A user may be forced to log on either online or offline using OTP by configuring Digipass Authentication for Windows Logon accordingly. For more information, refer to the Digipass Authentication for Windows Logon User Guide, Section "Enforce Digipass authentication".