Windows Credential Provider Offline Autentication bypass
19 views
Skip to first unread message
Daniele Carlini
Dec 3, 2025, 5:36:19 AM (3 days ago) Dec 3
to RCDevs Security
Hi,
it's possible to bypass F2A request ( qrcode ) login in offline mode in the same way on online mode with the parameter f2a_bypass_timer ?
Thank you
Daniele
Spyridon Gouliarmis (RCDevs)
Dec 3, 2025, 6:16:02 AM (3 days ago) Dec 3
to RCDevs Security
Hi Daniele,
yes, but that's because f2a_bypass_timer only applies to unlocking an existing session, no creating a new one. There's no difference between offline and online in this case.
Daniele Carlini
Dec 3, 2025, 8:47:32 AM (3 days ago) Dec 3
to RCDevs Security
ok, but in my situation, the offline authentication on windows, every time when unlock a windows session i have the request to put otp from qrcode.
The PC is in AD and i setup the Interactive logon: Number of previous logons to cache (in case domain controller is not available).
what else can I check?
Thanks
Daniele
Spyridon Gouliarmis (RCDevs)
Dec 3, 2025, 8:57:01 AM (3 days ago) Dec 3
to RCDevs Security
I assume you're trying to unlock within <f2a_bypass_timer> seconds of opening the sessions (possible offline, with QR code and everything).
What are the values under HKLM\Software\RCDevs\OpenOTP-CP ? (Censor the private bits)
Daniele Carlini
Dec 3, 2025, 9:15:06 AM (3 days ago) Dec 3
to RCDevs Security
[HKEY_LOCAL_MACHINE\SOFTWARE\RCDevs\OpenOTP-CP]
"webadm_url"="https://*"
"watcher_stream_chunk"="131072"
"selfreg_debug_mode"="0"
"check_ldap"="1"
"auto_create"="0"
"auto_create_groups"=""
"proxy_host"=""
"proxy_port"=""
"offline_mode"="1"
"rdp_client_id"=""
"credui_client_id"=""
"local_alias"=""
"filter_credui"="0"
"f2a_bypass_timer"="7200"
"whitelist"="S-1-5-21-*"
"protected_principals"=""
"autocomplete_username"="1"
"account_provider"=""
"v1_bitmap_path"=""
"v2_bitmap_path"=""
"language"=""
"send_watcher"="1"
"selfreg_enabled"="1"
"remoteapp_bypass"=""
"cp_filter_whitelist"=""
"server_url"="https://*:8443/openotp/"
"server_url_2"="https://*:8443/openotp/"
"openotp_options"=""
"login_text"="Work Resources"
"loading_text"=""
"client_id"="PC Test"
"ca_file"="C:\\Program Files\\RCDevs\\OpenOTP Credential Provider\\ca.crt"
"api_key"="*"
"user_settings"=""
"soap_timeout"="30"
"policy"="1"
"login_method"="0"
"debug_mode"="0"
"debug_log_file"=""
"support_info"=""
"authorized_proxies"=""
"cert_file"=""
"cert_password"=""
"watcher_heartbeat"="500"
"watcher_xpath"=""
"watcher_debug_mode"="0"
"watcher_debug_log_file"=""
"watcher_force_lock"=""
"selfreg_debug_log_file"=""
"webadm_url"="https://*"
"watcher_stream_chunk"="131072"
"selfreg_debug_mode"="0"
"check_ldap"="1"
"auto_create"="0"
"auto_create_groups"=""
"proxy_host"=""
"proxy_port"=""
"offline_mode"="1"
"rdp_client_id"=""
"credui_client_id"=""
"local_alias"=""
"filter_credui"="0"
"f2a_bypass_timer"="7200"
"whitelist"="S-1-5-21-*"
"protected_principals"=""
"autocomplete_username"="1"
"account_provider"=""
"v1_bitmap_path"=""
"v2_bitmap_path"=""
"language"=""
"send_watcher"="1"
"selfreg_enabled"="1"
"remoteapp_bypass"=""
"cp_filter_whitelist"=""
"server_url"="https://*:8443/openotp/"
"server_url_2"="https://*:8443/openotp/"
"openotp_options"=""
"login_text"="Work Resources"
"loading_text"=""
"client_id"="PC Test"
"ca_file"="C:\\Program Files\\RCDevs\\OpenOTP Credential Provider\\ca.crt"
"api_key"="*"
"user_settings"=""
"soap_timeout"="30"
"policy"="1"
"login_method"="0"
"debug_mode"="0"
"debug_log_file"=""
"support_info"=""
"authorized_proxies"=""
"cert_file"=""
"cert_password"=""
"watcher_heartbeat"="500"
"watcher_xpath"=""
"watcher_debug_mode"="0"
"watcher_debug_log_file"=""
"watcher_force_lock"=""
"selfreg_debug_log_file"=""
Daniele
Spyridon Gouliarmis (RCDevs)
Dec 3, 2025, 9:36:11 AM (3 days ago) Dec 3
to RCDevs Security
Can you set debug_mode to 4 and check the logs that appear in C:\RCDevs Logs, after trying to unlock a session after 7200 seconds of an offline session opening. Censor them and join them to your answer.
Reply all
Reply to author
Forward
0 new messages