"Local MFA" means that MFA is enforced when users try to sign in using local user accounts.

Login using local user accounts is regarded as offline login. Therefore, enforcing MFA on local users is enforcing offline MFA for local users.


To enable MFA for local users for both online & offline access, you need to edit the "domain_policy.json" file and set the options in the "local\offline\MfaPolicy\" section
ElementRemark
loginMfaBoot up login
uacMfaElevated Access
unlockMfaScreen Unlock 



To set up a token for a local user account, the user must follow the steps below

First, the user must set up a token for offline MFA for the user's domain account.

To manually create a token for offline login and other operations on a PC, the user must follow the steps below

First, log in to the PC while the PC is online, using the user's domain account

Launch a web browser, and navigate to the user console at http://localhost:12845/localTokens 

Click the "CREATE TOKEN" button

Enter a name for your token, such as your user name

Click the "SAVE" button to save the token

Now, you need to install the token on to your mobile phone

Click the context menu icon of the newly created token, and select "QR Code" from the menu

You can use your TOTP authenticator app, such as Microsoft Authenticator or SafeID Authenticator, to scan the QR code.

After the token has been installed on to your phone, you should test it.

Click the context menu of the token again, and select "Test"






Then, the user needs to share the token with the user's local account

Click the context menu of the token

Select "Share"

Select the local account, e.g. "2fa", click the "CONTINUE" button

Enter the password of the selected account, click the "SHARE" button




  • No labels