Windows Credential Provider Offline Autentication bypass

61 views
Skip to first unread message

Daniele Carlini

unread,
Dec 3, 2025, 5:36:19 AM12/3/25
to RCDevs Security
Hi, 
it's possible to bypass F2A request ( qrcode ) login in offline mode  in the same way on online mode with the parameter f2a_bypass_timer ?

Thank you
Daniele

Spyridon Gouliarmis (RCDevs)

unread,
Dec 3, 2025, 6:16:02 AM12/3/25
to RCDevs Security
Hi Daniele,

yes, but that's because f2a_bypass_timer only applies to unlocking an existing session, no creating a new one. There's no difference between offline and online in this case.

Daniele Carlini

unread,
Dec 3, 2025, 8:47:32 AM12/3/25
to RCDevs Security
ok, but in my situation, the offline authentication on windows, every time when unlock a windows session i have the request to put otp from qrcode.
The PC is in AD and i setup the Interactive logon: Number of previous logons to cache (in case domain controller is not available).
what else can I check?

Thanks
Daniele

Spyridon Gouliarmis (RCDevs)

unread,
Dec 3, 2025, 8:57:01 AM12/3/25
to RCDevs Security
I assume you're trying to unlock within <f2a_bypass_timer> seconds of opening the sessions (possible offline, with QR code and everything).

What are the values under HKLM\Software\RCDevs\OpenOTP-CP ? (Censor the private bits)

Daniele Carlini

unread,
Dec 3, 2025, 9:15:06 AM12/3/25
to RCDevs Security
[HKEY_LOCAL_MACHINE\SOFTWARE\RCDevs\OpenOTP-CP]
"webadm_url"="https://*"
"watcher_stream_chunk"="131072"
"selfreg_debug_mode"="0"
"check_ldap"="1"
"auto_create"="0"
"auto_create_groups"=""
"proxy_host"=""
"proxy_port"=""
"offline_mode"="1"
"rdp_client_id"=""
"credui_client_id"=""
"local_alias"=""
"filter_credui"="0"
"f2a_bypass_timer"="7200"
"whitelist"="S-1-5-21-*"
"protected_principals"=""
"autocomplete_username"="1"
"account_provider"=""
"v1_bitmap_path"=""
"v2_bitmap_path"=""
"language"=""
"send_watcher"="1"
"selfreg_enabled"="1"
"remoteapp_bypass"=""
"cp_filter_whitelist"=""
"server_url"="https://*:8443/openotp/"
"server_url_2"="https://*:8443/openotp/"
"openotp_options"=""
"login_text"="Work Resources"
"loading_text"=""
"client_id"="PC Test"
"ca_file"="C:\\Program Files\\RCDevs\\OpenOTP Credential Provider\\ca.crt"
"api_key"="*"
"user_settings"=""
"soap_timeout"="30"
"policy"="1"
"login_method"="0"
"debug_mode"="0"
"debug_log_file"=""
"support_info"=""
"authorized_proxies"=""
"cert_file"=""
"cert_password"=""
"watcher_heartbeat"="500"
"watcher_xpath"=""
"watcher_debug_mode"="0"
"watcher_debug_log_file"=""
"watcher_force_lock"=""
"selfreg_debug_log_file"=""


Daniele

Spyridon Gouliarmis (RCDevs)

unread,
Dec 3, 2025, 9:36:11 AM12/3/25
to RCDevs Security
Can you set debug_mode to 4 and check the logs that appear in C:\RCDevs Logs, after trying to unlock a session after 7200 seconds of an offline session opening. Censor them and join them to your answer.

Daniele Carlini

unread,
Dec 11, 2025, 2:19:54 AM12/11/25
to RCDevs Security
Hi, there are the logs in C:\RCDevs folder 

Thanks
Daniele
CP-Logs.txt
CP-LogsFilter.txt

Daniele Carlini

unread,
Jan 20, 2026, 4:00:46 AMJan 20
to RCDevs Security
Hi, have you seen the logs ?

Daniele

Yoann Traut (RCDevs)

unread,
Jan 23, 2026, 10:24:30 AMJan 23
to RCDevs Security

Hello,

We received feedback that the 2fa_bypass_timer has not been implemented for offline logins.
We have requested this from the development team, and it should be available in the next version of the CP.

Regards

Reply all
Reply to author
Forward
0 new messages