Offline Workstation logon with OATH tokens
Offline OATH Tokens
Beginning with version 2.2, you can create “offline” OATH tokens that will be synchronized down to your workstations when the user connects online. The offline OATH token can then be used to authenticate to any of the workstations that previously cached its record. (Normal “Online” OATH tokens cannot be used in this way, because it's not possible to authenticate them without having a connection to the DC.)
Limitations
- You cannot use an Offline token to access any LAN resources that demand 2-factor authentication. Unlike with a YubiKey, the offline token does not support both scenarios. You need to have a separate row for your Offline OATH token in the authenticator app, and only use it when disconnected from the LAN.
- If you log in to an offline workstation with your Offline OATH token, then connect a VPN, you'll need the Online OATH token for the VPN. Furthermore, LAN resources that require 2-factor auth won't work because the desktop itself has used the Offline token. For use cases like this, the YubiKey is a far better choice.