ADSelfService Plus supports offline MFA for Windows machine logins, User Account Control (UAC) prompt elevation, and RDP server authentication when the product server is unreachable.

Windows machines can be secured by MFA in two ways:

• Online MFA: The default or online MFA process in ADSelfService Plus uses a network connection between the ADSelfService Plus server and user machines to verify the identities of users based on the authenticator data registered in the ADSelfService Plus server.
  

• Offline MFA: To ensure identity security even in the absence of a proper network connection or communication with the ADSelfService Plus server, offline MFA verifies a user's identity with authenticator data securely stored in the user's machine by the Windows login agent. Offline MFA can be used to secure interactive logins, RDP server authentication, and UAC prompts. Click here to learn more about the enrollment and verification process.
  

This page explains:

• How offline MFA works

• How to enable the feature

• Enrolling end users in offline MFA

• Advanced settings
  

How does offline MFA work?  

1. The user enters their credentials to log in to their machine.

2. Upon successful primary authentication, the ADSelfService Plus login agent installed on the machine tries to access the ADSelfService Plus server to initiate MFA, but it fails due to connection issues.

3. The login agent then initiates offline MFA. If the user has enrolled their device in offline MFA, they will be able to verify their identity when offline. Otherwise, their authentication flow may be blocked based on the organization's policy.

4. If the user completes the required authentication levels successfully, they are logged in to the machine. 

Offline MFA configuration  

Prerequisites   

• Offline MFA is supported only for Windows machines (except Windows 10 version 1803). For remote logins, offline MFA is not supported for RDP client authentication.

• If the login agent is already installed, make sure it is version 6.3 and above or reinstall it to upgrade to this version. Otherwise, install the agent after configuring offline MFA to ensure that the changes are updated.

• The Endpoint MFA add-on for ADSelfService Plus is required to enable the MFA for machine logins feature. Visit the store to purchase the add-on.

• SSL must be enabled. Log in to the ADSelfService Plus web console with admin credentials. Navigate to Admin → Product Settings → Connection. Select the ADSelfService Plus Port [https] option. Refer to this guide to learn how to apply for an SSL certificate and enable HTTPS.

• The access URL must be set to HTTPS. Navigate to Admin > Product Settings > Connection > Configure Access URL and set the Protocol option to HTTPS.

• Enable the required authentication methods. ADSelfService Plus supports the following methods for offline MFA:

• Google Authenticator

• Microsoft Authenticator
  

• Zoho OneAuth's TOTPs

• Custom time-based one-time password (TOTP) authenticators

• For steps to enable the authentication methods, refer to the authenticators guide.

• Install the ADSelfService Plus client software login agent for Windows, macOS, and Linux on the machines where you want to enable MFA. Click here for the steps to install the ADSelfService Plus login agent. 
  

Steps to enable offline MFA for Windows machines:  

1. Go to Configuration > Self-Service > Multi-factor Authentication > MFA for Endpoints.

2. Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users.

Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selections based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.

3. In the MFA for Machine Login section, select the check box to enable online MFA for machine logins and select the number of authentication factors you want to prompt users for. Select the preferred authentication methods from the drop-down.Click Choose authenticators for Offline MFA and select the authentication method you prefer for offline MFA from the drop-down.
   

4. Click Choose authenticators for Offline MFA and select the authentication method you prefer for offline MFA from the drop-down.

5. Click Save Settings.

Offline MFA is now successfully configured using the preferred authenticators for users belonging to the selected policy.

Enrolling end users for Offline MFA  

Enrollment for offline MFA takes place in two stages: authenticator enrollment and machine enrollment.

1. Authenticator enrollment   

A. Enrollment by users during identity verification

1. When a user is enrolled for online MFA: Once offline MFA is configured, after a user completes online MFA via the login agent or in the ADSelfService Plus portal, they will be enforced to enroll for authenticators configured for offline MFA, if not yet enrolled. This flow can be altered by changing the Force enrollment/Deny access/Allow access if the user is not enrolled in MFA setting.
   
2. When a user is not enrolled for online MFA: If online MFA and offline MFA are configured, but the user has not enrolled for any of the authenticators required, they will be enforced to enroll as soon as they complete the primary authentication on their machine.

B. Enrollment by users from the user portal

A user can log in to the ADSelfService Plus user portal, navigate to the Enrollment tab and enroll for the authenticators configured for offline MFA.

C. Enrollment by admins

ADSelfService Plus also supports bulk user enrollment by admins via importing data from CSV files or external databases like Oracle, Microsoft SQL Server, MySQL, and PostgreSQL. Learn how to enroll users in bulk using these methods from the help document.

2. Machine enrollment  

If a user has enrolled for the authenticators needed for offline MFA, during their next successful online MFA, the user's machine will either be automatically enrolled for offline MFA, or they will have to choose between enrolling their machine and skipping enrollment based on the configured settings.

Once the machine is enrolled for offline MFA for the specific user, the user's authenticator enrollment data will be securely transmitted from the ADSelfService Plus server and stored as encrypted data in the specific machine for offline MFA. This process will repeat regularly, to keep the authenticator data up-to-date.

Disenrolling a machine from offline MFA  

Disenrolling a user's machine restricts their access to the offline MFA feature. A user's machine can be disenrolled from offline MFA in two ways:

A. From the Offline MFA Enrollment Report:  

This report generates the list of machines enrolled by users for offline MFA. The information listed in the report includes the user who is enrolled in the machine for offline MFA, the time of enrollment, and last synced time. It also allows admins to disenroll machines and users from offline MFA. Here's how to use the disenrollment capability in the report:

1. Log in to the ADSelfService Plus admin portal.

2. Go to Reports > Enrollment Reports > Offline MFA Enrollment Report. The Offline MFA Enrollment Report will open.

3. From the listed usernames and their machines, select the machines you want to disenroll, and click the Disenroll option.

The machine is now disenrolled from offline MFA.

B. From the end user self-service portal:   

1. Log in to the ADSelfService Plus portal.

2. Go to the Enrollment tab. Click on Manage.

3. Click on Offline MFA - Manage Enrolled Devices.

4. Here, click on Disenroll for the machines you want to revoke your offline MFA enrollment from.

Note: Changes to the offline MFA configuration, advanced settings, enrollment data, and disenrollment of the machine from offline MFA will be reflected only after the next successful online MFA attempt in that machine.

What happens if offline MFA isn't configured or the user's machine isn't enrolled for it?  

Offline access to the user's machine will be denied unless:

• The Skip MFA when the ADSelfService Plus server is unreachable or down setting is enabled. This setting can be found under Configuration > Self-Service > Multi-factor Authentication > Advanced > Endpoint MFA > Machine Login MFA.
  

• Machine-based MFA is not enforced for that machine. For this, the Manage MFA setting under Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines is set to Exempt.
  

To avoid degrading security by bypassing MFA, or hampering productivity by denying access when offline, it is recommended to enable offline MFA.

Advanced offline MFA settings  

The following advanced settings enhance offline MFA's functionality.

• Automatically enroll the user's device for Offline MFA after successful online authentication: This setting is enabled by default. When enabled, once a user completes online MFA in a machine, it is automatically enrolled for offline MFA without notifying the user. If not enabled, the user can choose to enroll their machine for offline MFA or skip it.
  

• Restrict users from performing offline MFA after _ days/attempts: When this setting is enabled, offline MFA is restricted to a certain number of days or attempts and users are mandated to connect back to ADSelfService Plus once this limit is exhausted.
  

To access these settings, log in to the admin portal and navigate to Configuration > Multi-factor Authentication > Advanced Settings > Endpoint MFA > Machine Login MFA. Ensure your preferred policy is enabled in the Multi-factor Authentication page.