Skip to main content

Offline registration in disconnected (air-gapped) environments

A disconnected or air-gapped environment does not have a wired or wireless connection to outside networks. Machines and mobile devices do not have access to the Internet, and BYOD devices are not permitted. Yet end users must be able to complete SecureAuth Authenticate app QR code registration while offline.

The following workflow describes how end users can complete QR code registration without a wired or wireless connection.


  • SecureAuth IdP release 9.2 with hotfix 9.2.0-37 or later

  • SecureAuth Authenticate app (all releases supported) on end user mobile device

Air-gapped workflow

End users need to complete QR code enrollment to connect their account to their user profile.

  • End users begin QR code enrollment.

  • The Identity Platform performs all the operations as it would for an online registration until it attempts to register a push token enrollment with the cloud. The push token cannot be enrolled through the QR code when offline.

  • Because the Identity Platform page cannot register the push token enrollment with the cloud, the Identity Platform aborts this path, continues on a different offline path, and communicates the change to the Authenticate app.

  • The Authenticate app does not attempt to enroll the push token; instead, it sends nothing back to the Identity Platform, which causes OATH token enrollment to be completed as normal.

  • The Authenticate app provides the time-based one-time passcode (TOTP) MFA method as an authentication option. The end user selects the option and enters the TOTP from the app to complete enrollment. (TOTP is the only MFA method available in air-gapped environments.)

  • End user enrollment is completed and no further steps are required.