Enrolling in Duo Offline (KBR Provided Computer Users Only)
The only two methods that allow for Duo Offline mode are the Duo Mobile app and the FIDO Security Key. This means that if your KBR provided computer is not able to connect to an internet connection or a KBR network, you can still log in to your computer using an offline code.
The Duo Mobile app is the recommended method for enrollment. FIDO Security Key's must be requested through DASH.
You may ONLY have ONE method enrolled for offline login.
Pre-Requisites for enrolling Duo Offline
- You must have a KBR Provided Computer.
- You must have already successfully completed your Duo enrollment, enrolling either the recommended Duo Mobile app or using a FIDO Security Key.
- You must have already installed the Duo application on your KBR Provided Computer and connected to it at least once while connected to the internet.
Duo Mobile
1. Log in to your KBR computer as normal, entering your KBR User ID and Network Password.
2. When prompted with the DUO Security window that says Login to Windows even when you are Offline select DUO Mobile Passcode then click Activate Now. Follow the steps to register for Offline access. You will only have to do this registration once, unless you get a new computer.
FIDO Security Key
1. If you are setting up DUO for the first time, you need to authenticate using a network connected device at least once, to register an offline token.
2. If you already have a Windows offline authentication key set up on the DUO app and wish to replace that with a FIDO Key, click Replace/Reconnect an offline device on the left side of the Duo Authentication Prompt. If your Windows Logon application is configured to automatically send a push request to your phone, you will need to cancel the authentication in progress before you can click the link on the left.
3. Authenticate using either a DUO push authentication, A call from DUO, or a Passcode generated from either the DUO app, SMS, hard token, or a bypass code provided by an administrator.
4. Select Security Key (YubiKey) and click Activate Now to begin setting up offline access.
5. Duo for Windows Logon attempts to contact your security key. If you don't have it plugged in, go ahead, and insert it. You should see the security key begin flashing, and the Duo screen will say Security key found - Tap to enroll. Touch your blinking security key to register it. Note: The Feitian Fido Key is “Capacitive touch” sensitive, you need to use your skin and not a sharp object like a nail. Press the exposed metal key ring loop to activate the token.
6. Tap the security key again to verify.
7. If successful, the Duo offline activation window says Security key verified - enrollment complete. Click the Activate Offline Login button to finish setting up offline access.
8. Once you’ve activated offline access for your account, when your computer isn’t able to contact Duo’s cloud service you’ll automatically be offered the option to login with a security key after successfully submitting your Windows username and password during system logon.
Things to be aware of:
1. FIDO Keys must be activated with the skin on your finger.
2. You must register the key using an internet connection at least the first time, you cannot register an offline token with no internet.
3. You have 99 log in attempts while using a FIDO Key before you must log in using a network connected DUO token such as a hard token, text, call, or the app.
4. The FIDO Key does not have an expiration and is transferable so do not throw away or dispose of. IT can transfer it to another user.
5. You can only have 1 Offline authentication device, either the Windows offline code on the DUO app or a Security key, not both. Activating one will replace the other.
6. You can replace a lost FIDO Key by following step 2, “Replace/Reconnect an offline device” When you activate the new key the previous one will no longer work even if found at a later time.