Configuring offline multi-factor authentication and rescue users

When a Windows computer that is running a Centrify Agent is not configured to use multi-factor authentication, you can use a local account to rescue that system when it cannot connect to the Centrify Identity platform.

Local users do not require MFA challenge. For non-safe mode in Windows Operating System:

  • With Centrify Privilege Elevation Service (zone mode) a local user can log in without MFA whenever they cannot connect to Centrify Identity Platform. The exception is that the local user does not assign roles for either "Window login permit" or "rescue user."
  • Without Centrify Privilege Elevation Service (zoneless mode) a local user is allowed to log in without MFA.

For safe mode in Windows Operating System, a local user can only log in as a rescue user. To set a rescue user for zone mode, go through the Access Manager to assign roles. To set a rescue user for zoneless mode, go through Group Policies to configure.

If a computer that is joined to a zone starts in Safe Mode, only users who are assigned a Login role with the system rescue right selected will be able to access the machine. These users will not be required to use multi-factor authentication.

Users who are required to use multi-factor authentication to log in to their Windows workstations can set up an offline MFA profile to use as a second form of authentication in the event that their machine cannot connect to the Centrify Identity platform. These users will see a system notification urging them to set up this passcode each time they log in to their machine until they configure it.

Users set up their offline MFA profile in following way:

To set up an offline MFA profile:

  1. Right click the Centrify notification icon in the system notification area, and select Setup Offline MFA Profile.
  2. Click Next to begin the Offline Authentication Wizard.
  3. Select one of the following methods to create a authenticator account profile on your mobile device:

    • Scan barcode

      If you select this option, a QR code is displayed for you to scan using your mobile authenticator application. You can use either the Centrify application or a third-party authenticator application.

    • Manual entry

      If you select this option, you must manually enter the displayed account profile information into your authenticator application.

    • Program YubiKey

      If you select this option, you can use a YubiKey as the second form of authentication. You'll then need to select which slot on the YubiKey to use, and whether or not to use Yubikey's touch-to-sign feature.

  4. Enter the passcode that is generated after you have created your authenticator profile. Click Next.
  5. Click Finish to exit the Wizard.

After a user has set up their offline MFA profile, they will be prompted to enter the mobile passcode generated by their authentication application or YubiKey as the second form of authentication when they attempt to log in to their machine if it cannot connect to the Centrify Identity platform instance.

Note:   If you have already set up your offline MFA profile and want to reconfigure (override) it, you will be prompted for multi-factor authentication. That profile is set in the MFA Login Policy.