By François Amigorena, CEO, IS Decisions
François Amigorena is the founder and CEO of IS Decisions, a global software company specialising in access management and MFA for Microsoft Windows and Active Directory environments. After a career at IBM and a subsidiary of la Société Générale, Francois became an entrepreneur in 1989 and has never looked back.
Global adoption of multi-factor authentication (MFA) stagnated for years until remote work turned the tables on modern network security architecture. Since 2020, the global market for MFA has doubled. More organisations now see value in allocating a budget, often a significant one, to access security.
If organisations are (finally) adopting MFA, it’s usually for one of two reasons. Not only do more regulations and cyber insurance requirements now explicitly mandate MFA, but also media coverage of large data breaches helps IT make the business case that MFA lowers the risk of a costly, reputation-damaging breach.
Underpinning all these drivers is the assumption that MFA is reliable. The business case for MFA crumbles if MFA only works most of the time or under most conditions. But if your MFA doesn’t work offline, that’s exactly what’s happening.
What is Offline MFA?
Offline MFA describes MFA that continues to work even without an internet connection. It’s easy to pass over this on a feature list, but without it the extra security layer your MFA brings has a gaping hole in it.
Why MFA Without Internet is Important
When we talk about technology that needs to work “offline” or “without internet,” we tend to think of high-security environments in government or military settings.
But that mentality needs to shift. We know hackers take advantage of circumstances when they’re more likely to evade detection — which is the case in offline scenarios. And offline access to your network probably happens more often than you think. Here are a few examples:
Power Outages
Blackouts happen. Sometimes it’s a storm, construction next door cuts the cable, or there’s a planned outage for maintenance. Even the tech gods are bound by cause and effect: where there is no power, there is no internet. No internet can also mean no MFA (case in point, a recent widespread power failure led to a MFA outages across the U.S.).
Though rare, hackers can even trigger the blackout, as Russia’s Sandworm intelligence agency unit has done multiple times in Ukraine over the past decade.
Internet Connectivity Issues
Any organisation can experience the occasional internet glitch. IT also has little control over remote workers’ internet connection, which can range from great to none at all. Or, maybe your users log on from the factory or while on the road, as is often the case in manufacturing and transportation.
More from Tech
- Alternatives To Ring Doorbells
- Retro Rewind: 10 Vintage Tech Gadgets We Left in the Past
- Best Tech and Apps for Preventing Phone Theft
- How Can Crypto and Blockchain Technology Contribute Meaningfully to Tackling Financial Exclusion?
- World Bicycle Day: Tech Used At The 2025 Giro d’Italia
- Meet Ada: The Accurate Carbon Insights Tool
- Tech And Apps For Your Blood Pressure Monitoring
- Spreadsheet SDKs and the Role they Play in Modern Retail Data Management
Remote Work
Similarly, remote workers almost inevitably log on at some point without an internet connection. They might be traveling, in a remote part of the world, or simply logging in from the corner café. Naturally, access via these vulnerable remote connections is especially important to secure with MFA.
Air-Gapped Environments
While the above circumstances impact every organisation, air-gapped environments are more common across highly regulated industries and critical infrastructure. By definition, an air-gapped network isn’t connected to the outer internet.
But since it’s almost impossible to ensure any environment is 100% air-gapped (cut off) from the outside world, MFA is key to ensuring only the right people have access to the sensitive information in these networks. MFA for an air-gapped network needs to work without an internet connection long-term, not just temporarily.
The Challenge To Ensure Offline MFA
It’s not always easy to cut through marketing speak to find out what MFA solutions are capable of. Here’s a quick checklist of questions to ask:
- Does authentication take place in the cloud? Authentication via a cloud-based identity provider (IdP) is a clue that you’ll need to ensure your users have an internet connection at least some of the time
- Is offline MFA enabled? Many MFA solutions’ offer offline MFA that isn’t enabled by default, and needs to manually be turned on
- Is it temporary? Different solutions have different requirements for synchronisation with the IdP, ranging from a few hours to a few weeks
- Does the user need to enable it? In many cases, the admin cannot enable offline MFA; the users themselves have to turn it on. Make sure your users know the offline MFA functionality exists, and enable it
- Is there another MFA method needed for offline mode? Some MFA methods, such as push notifications, require an internet connection. Solutions may offer a backup method for offline scenarios, such as a TOTP code or a security key. Do your users know what to do if they’re prompted for an alternate method of authentication?
Offline MFA May Be The Sneakiest MFA Bypass of All
Much ink gets spilled about the perils of MFA bypass attacks. But have we overlooked the sneakiest bypass of them all? No internet, no MFA. Sounds like a hacker’s dream, right? If you’ve decided to invest in MFA, make sure you’re aware of any limitations of offline MFA, and take appropriate actions to close important security gaps.
