Enterprises use various methods to control access to corporate systems, information, and network resources. Some common access-control methods use a single sign-on process whereby a user is authenticated once and then given access to various systems, information, and network resources without the user having to be authenticated again. Because of the level of access allowed by single sign-on access-control methods, authentication using only simple passwords may inadequately protect corporate systems, information, and network resources. To enhance security, many enterprises have adopted a form of two-factor authentication that requires a user to provide more than one type of authentication credential. For example, a user may be required to provide a knowledge-based factor (e.g., a password or something else the user knows) and a token-based factor (e.g., a one-time password or something else the user has).
Typical methods of two-factor authentication may use a central authentication-service provider to validate at least one authentication credential. A central authentication-service provider may reside within a corporate network and be accessible to client devices connected to the corporate network or be cloud based and accessible to client devices connected to the Internet. For this reason, a client device that implements a typical method of two-factor authentication may need to be connected to a corporate network or the Internet to properly authenticate a user before the user can log into the client device.
When a client device is offline (e.g., not connected to the corporate network, not connected to the Internet, or unable to connect with the central authentication-service provider), some methods of two-factor authentication may allow a user to log onto the client device using only authentication credentials that do not need to be validated by central authentication-service provider. This method of authentication may allow a user to bypass two-factor authentication by allowing the user to disconnect the client device from the central authentication-service provider and to provide less than all authentication credentials.
Another method of two-factor authentication may not allow a user to log into the client device until a connection with the central authentication-service provider can be established. This method may unnecessarily restrict access to the client device, especially if two-factor authentication was implemented as a way to secure corporate resources not accessible to the user while the client device is offline. Accordingly, the instant disclosure addresses a need for systems and methods that manage offline authentication.