Skip navigation

Effective October 28, 2019 Duo Security will be transitioning to Cisco's Privacy Statement. View the Duo Privacy Data Sheet.

New From Duo: Windows Offline Authentication Q&A Recap

Tuesday, October 23

Thank you for registering for our recent webinar presentation, New from Duo: Windows Offline Authentication. Because of the high level of interest and volume of questions we received during the live webinar, we have prepared this collected list of the top questions asked of our presenters, as well as their answers. We hope you find this resource helpful, and welcome any additional feedback you have on this webinar or where we can provide more clarity.

Hardware Tokens

Q: Are hardware tokens supported? Why or why not, and is this on the roadmap?

We support Security Keys utilizing the U2F spec for authentication. We chose this for two reasons over AES-OTP tokens:

  • Security
  • Usability

Security because the properties of U2F tokens allow us to take advantage of asymmetric cryptography. With Security Keys, the token seed file never leaves the hardware. All that is stored on the endpoint is public key information, which is also encrypted. That means even if the local endpoint was compromised, the adversary would only have compromised access for that single enrollment, as opposed to all uses of that key. So that key could be safely used for other use cases, such as online enrollment into Duo’s service.

AES-OTP tokens on the other hand would require a storage mechanism that stores both the token seeds and the public keys. That would mean that if the endpoint is compromised that the tokens would be burned and compromised for all over the use cases, including if it’s used for online authentications.

From a usability standpoint, authenticating with a security key is far more convenient than entering one time passcodes. The user simply taps the key to authenticate instead of fumbling with a legacy hardware token to read the token code. Security Questions

Q: Can offline auth logs be erased or modified before syncing with our Duo account once back online?

Offline logs are only visible to Administrative accounts on Windows. As long as your users do not have administrative access, they cannot tamper with the authentication logs.

Q: How secure is this, if a user leaves the Yubikey plugged into their machine?

There are two approaches to take. Even if the security key is embedded in the device, the user needs to know a password to invoke multi-factor authentication. If the customer’s reading of NIST 800-53 definition of MFA is inclusive to separation of hardware, Yubikey Security Keys come in a variety of form factors. We’ve had some customers choose to utilize the more traditional thumb drive form factor as opposed to the discrete nano form factor to force user removal of the security key. Others have chosen to keep them embedded.

Q: Can you bypass this in Safe Mode?

We recommend customers encrypt hard drives with a service like Microsoft BitLocker or a third-party solution, which will require a local encryption key to access safe mode. We chose not to ship a control to block access to safe mode because we observed too many instances in which a user would accidentally break access to their endpoint and effectively require an entire device wipe to get back to working.

Q: How is the seed file protected on the offline system?

For Duo Mobile: The OTP seed is encrypted with a key stored in the TPM* if it is available. If a TPM is not available, we use Windows software encryption. The encrypted seed file is stored in the registry.

For Security Keys: The private key never leaves the security key. All that is stored on the endpoint is the public key credential unique to that user and endpoint’s enrollment and the unique identifier for the public key. These credentials are encrypted by the TPM if available and stored in the registry encrypted.

*Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.

Q: Does this mean I no longer configure fail safe or fail secure, it will always fail closed?

Fail safe and fail secure can still be configured upon installation but will only be invoked when users are not permitted to authenticate while offline. What we mean by that is if customers configure offline to not let certain users login while offline. Fail open/ fail closed will still be taken into consideration when making decisions about users who are not enrolled in Offline.

Q: Will this work if our DAG server is offline due to power outage or other issue?

Windows Logon 4.0 could be installed on a Windows server to allow for access when the device is temporarily offline such as during a network outage. However, DAG requires web access for local federation, so this solution is orthogonal to that use case.

Q: What happens if a user is blocked after 10 failed requests

The user will be blocked until they connect back online and are able to successfully authenticate.

Q: What is the bypass workflow if we lose our phone?

Excellent question. The user can re-register by logging in while online, successfully completing an online enrollment, and then registering a new device.

Remember Me/Bypass Codes

Q: Will there be a “remember me” period for offline auth in case they lock their machine while still offline?

There is not. We require authentication at every login attempt due to the fact that we rely on the credential provider framework within Windows, which is invoked at every login screen.

Over the next year, we are exploring ways to dampen authentication attempts based on certain signals, but we are yet uncertain if that will be tenable for offline attempts.

Q: Will offline auth requests show up in the admin panel?

Yes, the next time the endpoint is connected to the internet, all cached offline logins will be pulled into the admin panel and display in the authentication logs.

Q: Can offline auth be restricted by date, rather than number of logins?

Yes. Customers can configure offline login attempts based on # of logins or # of days.

Q: Can offline codes be set to a higher number than 10, or unlimited?

Yes, customers can configure

Q: Do Duo Bypass codes work in offline mode?

No, they do not. This is both a choice we’ve made from a security standpoint and also due to the mechanics of the authentication codes are generated within our cloud service that could not be mirrored to an offline device.

When a user is locked out, they will need to connect online to successfully authenticate before they can get back into the endpoint. If they lost their device, please refer to the above question.

Offline Auth Devices

Q: Can one Yubikey be used for both offline and online login?

Yes. Users can enroll the Yubikey as a U2F security key for offline Windows logon, and they can use the same key as U2F security key for online access to web services with the Duo Prompt. The Yubikey (model dependent) can also be used as OTP-mode for online Windows logon.

We are planning on adding U2F security key support for online WinLogon attempts in the future.

Q: Is there (or are there plans for) a biometric login option offline?

We are planning on adding for the Windows Hello authentication framework late next year within Windows Logon, which will allow us to defer to built-in biometric authenticators as opposed to third-party security keys.

Happy to discuss other ideas you may have around biometric login for offline.

Q: Can multiple Yubikeys (for either a single or multiple users) be used on the same laptop?

Different users can utilize either the same security key or different security keys on an endpoint. One limitation to be aware of is that one user can only use one offline security key - we do not support the concept of backup keys at this juncture.

Q: Can you require both soft token and Yubikey for auth?

No, users can either use either a soft token or a security key for authentication.

Q: Do you need a Yubikey 5s with a cert to do offline auth?

No, the following Yubikey models all support U2F:

  • Yubikey 5
  • Yubikey 5 Nano
  • Yubikey 4
  • Yubikey 4 Nano
  • Yubikey FIPS
  • Yubikey Security Key (U2F-only)

Q: Is there any plan for PIV cards using x.509 cert support?

WinLogon supports PIV cards utilizing the Windows SmartCard framework. The user experience is that if we detect the presence of a PIV card, we will allow you to bypass multifactor authentication. Learn more here: https://help.duo.com/s/article/3192?language=en_US

Q: Does the phone need to be online to generate passcodes?

It does not. The tokens are generated locally on the iPhone or Android smartphone without relying on the online service.

Q: Is support for offline mode using Push planned?

No, it is not. Our Push service operates by having the local endpoint (e.g. laptop) reaches out to our cloud service to invoke a Push authentication via either Apple Push Notification Service or the Google Cloud Messaging to send down to Duo Mobile on iOS or Android respectively. Because the endpoint in this case is offline when invoking an authentication, we cannot begin that first step.

Licensing/Availability

Q: Will you need an additional license for offline auth users?

No, customers will not. This is included with MFA, Access, and Beyond editions. Duo charges based on user count, not based on additional integrations or devices enrolled.

Q: When will this go live for all customers?

November 19, 2018

Q: Which license tier is needed to use this functionality?

MFA, Access, and Beyond editions will offer Windows Offline access.

Planned Updates/Feature Requests

Q: Will there be support for offline login using UNIX/Linux or Mac OS systems?

We have seen roughly an 85-15 balance in local endpoints across our customers for Windows vs. Mac, so we prioritized Windows first. We are exploring solutions for Mac offline for 2019. We do not currently have plans to extend offline access to UNIX or Linux endpoints, as we have not seen market demand there.

Q: Will future integrations re-enable the Windows Hello functionality that is lost with this integration?

Hello, thanks for bringing this issue up. The collisions with Windows Hello and WinLogon are due to the credential provider framework not working in conjunction with Windows Hello. We do plan on working on a new version of Windows Logon that can trust Windows Hello as an authentication method next year.

Q: Will location awareness functionality be added?

For offline, we have a dearth of location signals and cannot rely on the presence of a mobile device because we’ve observed a number of customer situations where they would only be able to support security keys.

For online, we currently cannot support IP address for signaling due to the fact that the IP is self-reported by the endpoint. We do have plans to leverage additionals signals around the endpoint for decision making, but we don’t necessarily have anything to share at this juncture.

Details

  • Date:
    Tuesday, October 23, 2018