Enterprise Connect

Offline OTP enrollment

The Offline OTP (TOTP/OATH) option enables users to authenticate to Windows when they are not connected to a network.

Use Offline OTP must be enabled during the MSI Updater client configuration, otherwise, the end user will not be able to enroll in Offline OTP.

User to enable Offline OTP
  1. The invitation QR code is initiated and presented to the end user after the first successful login (either push, SMS, or email).

    Offline QR code pop up post first login

    The screens presented correspond to the OTP journey, as described in Example OTP journey and configured in MSI Updater ForgeRock tab.

  2. Using the ForgeRock Authenticator application, scan the invitation QR code.

    When the end user scans the QR code, an offline account is created in the ForgeRock Authenticator application.
    ForgeRock Authenticator application showing offline account created
  3. Tap the offline account to view the six-digit code.

  4. Enter the code in the field below the QR code and click Verify Code.

Offline mode will be enabled following the next online login. To verify that the system is ready and offline mode is enabled, it is recommended to sign out and login again.

Reset Offline OTP process

In the event that an end user loses their phone or needs to have their Offline OTP reset, as an administrator, follow the below steps:

  1. Go to the appropriate directory of registry keys as described in Windows Workstation Authentication registry keys.

  2. Select the WCP directory.

  3. On this page, there are two registry keys with the names prefixed with the user’s username:

    1. username:lastOnlineLogin

    2. usernameOTPS

      There can be multiple sets of these keys if there are multiple users on the same workstation, and they have enrolled in Offline OTP.

  4. Delete these two keys.

  5. If the end user has the previous OTP profile on their ForgeRock Authenticator application, they must delete the profile.

  6. Upon the next successful initial login to their Windows machine, the end user will be re-prompted to enroll in the Offline OTP process, as described in Offline OTP enrollment.

Copyright © 2010-2022 ForgeRock, all rights reserved.