Offline authentication

Offline authentication occurs when a user authenticates to Windows via Digipass Authentication for Windows Logon, and the client computer is not connected to the network or cannot establish a connection to OneSpan Authentication Server. Authentication is performed based on (locally stored and encrypted) offline authentication data.

The offline authentication data is generated by OneSpan Authentication Server during successful online authentication. It is either limited to a specific time span (time-based) or the number of authentications (event-based). This requires the client to perform online authentication on a regular basis.

You need to enable offline authentication via the OneSpan Authentication Server configuration.

Offline authentication

The user ID, password (optional), and OTP are verified against the offline authentication data. The authentication result is then sent back to Digipass Authentication for Windows Logon on the client computer. The offline authentication data can be used a limited number of times. You can configure this limit via the OneSpan Authentication Server Administration Web Interface.

Digipass Authentication for Windows Logon checks whether:

  • Offline authentication data is available for the user. Offline authentication data is generated after a successful online authentication if offline authentication is enabled in the relevant Digipass Authentication for Windows Logon client component policy.

  • This offline authentication data is still valid. Offline authentication data is valid for a limited period of time for time-based data, or for a limited number of logons for event-based data. The time or event limit is defined in the relevant Digipass Authentication for Windows Logon client component policy.

  • The OTP validation succeeds with the offline authentication data.

Although a user can have multiple Digipass authenticators assigned, only the first one ever used with Digipass Authentication for Windows Logon has offline authentication data assigned. If the user attempts offline authentication with another Digipass authenticator with no offline authentication data assigned, Digipass Authentication for Windows Logon will display an authentication error.

If you need to switch offline authentication data support to another Digipass authenticator, reset the offline authentication data for the currently used Digipass authenticator in the OneSpan Authentication Server Administration Web Interface and perform an online authentication using the other Digipass authenticator immediately afterwards.

It is also possible to configure user-specific policy settings for offline authentication. These settings will override those set by the parent policy.

Considerations for disabling offline authentication

Disabling offline authentication for a user has the following implications:

  • OneSpan Authentication Server will not send any new encrypted offline authentication data to the client computer.
  • After offline authentication is disabled, the user will still be able to use offline authentication until the encrypted offline authentication data expires OR until the user performs the next online authentication.

Forcing static password verification

You can enforce static password verification during offline authentication with Digipass Authentication for Windows Logon, by disabling Stored Password Proxy and setting Back-End Authentication to Always in the OneSpan Authentication Server configuration.

Forcing OTP use

A user can be forced to log on either online or offline with an OTP, by configuring Digipass Authentication for Windows Logon accordingly. For more information about enforcing Digipass authentication, refer to the Digipass Authentication for Windows Logon User Guide.