Offline Multi-Factor Authentication for Windows is Now Available
Summary
Duo’s support for offline multi-factor authentication (MFA) for Windows has shipped
There are two ways to use it - both of them easy to use and highly secure
Duo is the only company to offer Universal 2nd Factor (U2F)-based offline MFA
Available now to all Duo MFA, Duo Access and Duo Beyond customers at no additional cost
We’re pleased to announce the general availability of our offline MFA for Windows laptops, desktops and servers. Duo’s offline MFA for Windows allows end users to perform 2FA even while they are temporarily disconnected from the internet.
This is critical to support users whose job requires them to be temporarily offline, but who still need to perform 2FA to log in to their Windows computer. Here’s a few examples of different types of users and user scenarios that Duo now supports:
An executive or salesperson who works offline or must securely log in to the (offline) computer before connecting to the in-flight Wi-Fi or hotel Wi-Fi
An engineer or contractor at a customer site where they are not allowed to use Wi-Fi or internet, or where there is no internet available
Federal contractors fulfilling requirements for Defense Federal Acquisition Regulation Supplement - Controlled Unclassified Information (DFARS-CUI)
Strong Pre-Release Demand
We’ve seen overwhelmingly strong interest from customers in the run-up to release. See our previous blog posts on the subject here and here. We also hosted a heavily-attended customer webinar, recorded here, where we addressed many common customer questions. One customer’s story about their rollout and use of offline MFA is located here.
Two Usage Options
Customers have the option to choose between two different ways to use Duo offline MFA for Windows. Both authentication methods achieve Duo’s high standards for ease of use and provide industry-leading security.
Duo Mobile App
The first option: users can choose the one-time passcode (OTP) method in their Duo Mobile app. This has the advantage of being very familiar for users who already use the OTP option in the Duo Mobile app on a regular basis. Watch how passcodes work with Duo Mobile in this video:
Offline U2F
The second option: users can opt to use a standard physical U2F security key (such as Yubico’s YubiKey). The advantage here is that it is extremely easy to use (just touch the key when prompted on screen). This works for users who don’t or can’t use a mobile device.
Duo is the first and only security vendor to deliver offline MFA based on U2F security key technology. Universal 2nd Factor, or U2F, is an authentication standard developed by the FIDO Alliance that is designed to be open, secure, private and easy to use. Learn more about U2F.
A YubiKey or other standard U2F security key is plugged into the user’s USB port. Once enrolled with Duo, a simple tap or button press on the key provides a second authentication factor to validate a user’s identity at login - similar to the one-tap convenience of online U2F login that users are already familiar with.
“With the introduction of this new feature, Duo provides a unified solution for offline, online, and web login using a single service and the YubiKey for strong hardware-backed two-factor authentication,” said Jerrod Chong, SVP of Product at Yubico. “This use case and integration expands many benefits of U2F for secure login without compromising security or usability for offline support that we are excited to see.”
The U2F security key option makes use of asymmetric cryptography. At enrollment time, a public/private key pair is generated for each user (a separate pairing for each unique application to be protected). The user’s private key is embedded on the U2F device hardware in a tamper-proof way. The user’s private key never leaves the hardware, and cannot be used for any other reason.
Available Now to All Duo Customers
The offline MFA for Windows is available as part of all Duo product editions (Duo MFA, Duo Access and Duo Beyond) at no extra cost. Administrators decide which groups of users can use the offline MFA option. Customers do not need to buy any additional licenses for users who use offline MFA. See additional information on Duo’s Windows login capability here.