Pricing  Get Quote

Passwordless authentication

Ensure security for your remote workforce

with offline MFA

Start free trial

What is offline MFA, and why do you need it?

Normally, for MFA to function, users' devices must to be connected to the internet or to the same network as the MFA server to communicate authentication information. But, due to unforeseen conditions, connection to the MFA server can sometimes be severed, taking the user offline. In such cases, bypassing MFA or blocking access are both unwise options.

Offline MFA bridges the gap, allowing you to enforce MFA for your users even when they have no access to the MFA server. This way, your users' offline status does not have to limit your organization's cybersecurity.

Implement offline MFA for Windows logins with ADSelfService Plus

ManageEngine ADSelfService Plus supports offline MFA for Windows machine logins. Admins can configure one or more MFA factors for users to authenticate with. Users need to enroll themselves in the respective authenticators when they are online so that they can perform MFA when they are offline.

  • Authenticators
  • Enrollment and security
  • Disenrollment



Decide whether you want to enable offline MFA in your organization and choose the authentication factors you want to use.

Enrollment and security


Choose between letting your users enroll in offline MFA themselves or automatically enrolling them in offline MFA on a particular device.


Set the number of times a user can perform offline MFA based on the number of attempts or the number of days, after which they have to perform online MFA at least once.



Generate a consolidated report of users who have enrolled in offline MFA, along with timestamps, and disenroll users if needed.


Offline MFA will work in both of the following scenarios:

  • The user has an internet connection but is not connected to the MFA server.
  • The user is not connected to either the internet or the MFA server.

How offline MFA for Windows logins works

How offline MFA for Windows logins works

  • Enabling offline MFA initially prompts users to enroll in the authenticator(s) configured by their admin. This happens during a machine login attempt that is carried out when the user is connected to the ADSelfService Plus server (i.e., when they are online).
  • Admins can give users the choice of enrolling in the offline MFA authenticators on a particular device. Alternatively, admins can make enrollment mandatory for users when they log in.

    Note: Users who choose to skip MFA enrollment will not be able to prove their identities through MFA during login. Based on the admin-enabled configurations, either MFA will be bypassed for them, or they will not be able to access their machines.

  • Once a user has successfully enrolled in offline MFA, the authentication data needed to verify their identity is stored locally on that particular device.
  • Now when the user attempts machine login when they are not connected to the ADSelfService Plus server, they will be able to verify their identity with the enrolled authenticators and access the machine.
  • If you do not want users to log in through offline MFA over an extended period, you can limit the number of offline MFA attempts. Once the limit is reached, the user must connect to ADSelfService Plus and verify their identity at least once.

Online and Offline

Supported authenticators for offline MFA

ADSelfService Plus supports the following authenticators for offline MFA:

  • Google Authenticator
  • Microsoft Authenticator
  • Zoho OneAuth's TOTP authenticator
  • Custom TOTP authenticators

Benefits of offline MFA for Windows logins using ADSelfService Plus


    Ensure the security of your remote and traveling workforce:

    Rest assured that your users' machines are secured with MFA whether they are working remotely or have connectivity issues.


    Track enrollment with predefined reports:

    Generate readable, consolidated reports of users who have enrolled in offline MFA, along with the timestamps, and disenroll users if necessary.


    Enroll multiple devices:

    Allow users to enroll in offline MFA on multiple devices.

Safeguard remote users' machines, even when they are not connected to the network

Get your free trial

ADSelfService Plus also supports


    Adaptive MFA

    Enable context-based MFA with 19 different authentication factors for endpoint and application logins.

    Learn more  

    Enterprise single sign-on

    Allow users to access all enterprise applications with a single, secure authentication flow.

    Learn more  

    Remote work enablement

    Enhance remote work with cached credential updates, secure logins, and mobile password management.

    Learn more  

    Powerful integrations

    Establish an efficient and secure IT environment through integration with SIEM, ITSM, and IAM tools.

    Learn more  

    Enterprise self-service

    Delegate profile updates and group subscriptions to end users and monitor these self-service actions with approval workflows.

    Learn more  

    Zero Trust

    Create a Zero Trust environment with advanced identity verification techniques and render your networks impenetrable to threats.

    Learn more  

ADSelfService Plus trusted by