Skip to main content

Offline Login

Overview

Whether you're out of the office, in an area without network coverage, or traveling on an airplane, securely logging into your workstation becomes essential. To address these situations, 1Kosmos' Windows Workstation MFA agent enables users to access their systems even when there is no internet connection or when the 1Kosmos cloud is inaccessible.

For a smooth offline authentication experience, it's recommended to complete the passwordless online login. However, this is not mandatory. If the passwordless login was never set up, the offline login will prompt the user to enter their password and TOTP.

info

The Account TOTP is a six-digit time-based one-time passcode (TOTP) generated by the 1Kosmos mobile app, which allows for offline access to applications. To access the Account OTP, follow these steps:

  1. Open the 1Kosmos app.
  2. On the top-right corner of the screen, tap the Hamburger menu.
  3. Tap Account OTP.
  4. In the Account OTP screen that is displayed, view the passcode.

The Windows Workstation MFA agent supports offline login for both domain and local users. To enable offline logins, the community seed must be configured in the registry of the target workstation. When the system is offline, the Windows Workstation MFA agent shows an offline indicator on the UI. If the community seed is unavailable, the agent notifies users that offline login is not enabled when they attempt to log in. However, 1Kosmos still allows users to log in with local accounts in such cases.

By adopting this feature, users can enjoy seamless access during offline scenarios using the Account TOTP from the 1Kosmos mobile app. If passwordless login has not been completed beforehand, the password will serve as an additional factor for offline authentication.

Starting with Release v2.0.8.0, multi-factor authentication (MFA) methods are displayed for both local and remote account logins. To enable MFA for a local user, the local account must be added as an alias.

Administrators can configure the authentication journey for primary users via the AdminX interface. While in AdminX interface, they must add local user as an alias for primary user. If no custom journey is set for the primary user, the Windows Workstation MFA Agent will display the default five options: password, OTP, QR, FIDO and Push. Users can select any of these methods to log in to the workstation.

The local users still need to enter their password.

The following cases illustrate the usage of passwords for both Offline and RDP scenarios:

Offline Login Behavior:

  • If Offline Login is enabled (i.e., the community seed is configured):

    • The local user associated with an alias is prompted to enter the Account OTP of the primary user along with their password to log in.

  • If Offline Login is not enabled (i.e., the community seed is not configured):

    • The local user can log in using only their password, without needing to provide the Account OTP.

RDP Support:

Local user login via RDP is supported when the Workstation MFA Agent is installed on the remote machine.

  • On the host machine, the user enters their Microsoft username and password.
  • On the RDP session, the 1Kosmos MFA prompt will appear to provide the account OTP.

Enabling Offline Login Mechanism

To enable offline login support, the administrator must add the OTP Seed to the system registry of the Windows Workstation MFA agent. To associate the OTP Seed with the registry, follow these steps:

  1. Navigate to the Adminx interface.

  2. Go to Authentication > Multi-Factor Authentication > Account OTP for Offline Authentication section and copy the OTP seed.

  3. Navigate to the following registry path:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{90576E81-DDF8-4E8E-91E2-CA3A9CE52410}

  4. Create a registry key in the following format:

    CommunitySeed_$dns_$communityName

    In dns and communityName, replace any occurance of “.” with “_” so that the updated Registry Key name appears as follows:

  5. Add the following registry keys.

    Registry KeyRegistry Type
    CommunitySeed_acme_1Kosmos_net_defaultREG_SZ
    CommunitySeed_acme-dev_1Kosmos_net_developmentREG_SZ

The registry can be updated either through the SCCM / GPO update by the organization or via the BlockIDInstaller.bat script using the -configure directive. For more information, see Automatic Installation of the Windows Workstation MFA Agent.

Administrators must update the REGCONFIG file to add the CommunitySeed and value.

Sign in using Offline Login

To access your workstation during offline, follow these steps:

  1. In the login screen, click the Other User tile and select the BlockID option.
  2. The Sign In page displays No Internet icon. Enter the username and click Submit.
  3. Enter Account OTP from the 1Kosmos mobile app.
    You will be logged into the workstation.

Sample Video

Here is a sample video:

Experience the Demo