Duo Offline - Enrollment

The offline seed database resides on the gateway’s local disk. If an attacker compromises the gateway (e.g., a stolen laptop running Duo Windows Logon), they can extract the encrypted seed file and attempt offline brute force against the encryption key.

Duo Offline Enrollment is not necessary for every user, but it is critical for specific workflows: duo offline enrollment

Hardware Security Modules (HSMs) or TPM binding for the seed database. Avoid storing offline seeds on end-user laptops unless absolutely necessary. The offline seed database resides on the gateway’s

The user’s phone and the gateway now share a time-synchronized (or counter-based) symmetric key. duo offline enrollment