Duo Offline Enrollment May 2026

Monitor NTP health on every device that stores offline seeds. Implement a grace window (e.g., 3 intervals of 30 seconds) on the gateway. 3. Brute-Force on the Endpoint The offline seed database resides on the gateway’s local disk. If an attacker compromises the gateway (e.g., a stolen laptop running Duo Windows Logon), they can extract the encrypted seed file and attempt offline brute force against the encryption key.

By [Author Name]

Use Duo’s "Offline Access Management" API to purge seeds. Automate offline enrollment expiration (e.g., 7 days max). 2. The Time Drift Catastrophe TOTP depends on accurate clocks. If a gateway’s clock drifts more than 90 seconds from real time, all offline authentications will fail. This is a common failure after a power outage or NTP misconfiguration. duo offline enrollment