Cached (Offline) Workstation logon with OATH tokens
Offline OATH Tokens
Beginning with version 2.2, you can create “offline” OATH tokens that will be synchronized down to your workstations when the user logs in to the LAN. The offline OATH token can then be used to authenticate to the workstation in cached mode, when it is away from the LAN. (Normal “Online” OATH tokens cannot be used in this way, because it's not possible to authenticate them without having a connection to the DC.)
- Offline OATH tokens will NOT work when the machine is connected to the LAN.
- You cannot use an Offline token to access any LAN resources that demand 2-factor authentication. Unlike with a YubiKey, the offline token does not support both scenarios. You need to have a separate row for your Offline OATH token in the authenticator app, and only use it when disconnected from the LAN.
- If you log in to an offline workstation with your Offline OATH token, then connect a VPN, you'll need the Online OATH token for the VPN. Furthermore, LAN resources that require 2-factor auth won't work because the desktop itself has used the Offline token. For use cases like this, the YubiKey is a far better choice.