The main purpose of the FortiAuthenticator Offline Token is to provide a two-factor authentication (2FA) solution that works even when the user has no network connectivity to the FortiAuthenticator. This is ideal for users who need to authenticate for network access in remote locations or without internet access, allowing them to access their computers and to keep working.

1. The issue is that the offline Tokens are not available:

2. The above message 'Offline Tokens: None available' indicates that Offline Tokens are not available because the token database has not been pushed from the FortiAuthenticator to the Windows machine.
3. To find the reason why this database has not been sent to the Windows machine, check the agent logs at: C:\Program Files\Fortinet\FortiAuthenticator Agent\log. 
4. In the agent logs, the following lines:

04,751 [5912| 9|DEBUG] TwoFactorAuthPlugin: Server is presumably offline - validate using offline tokens
2025-09-02 15:34:04,751 [5912| 9|DEBUG] TwoFactorAuthPlugin: Attempting offline validation of OTP: *******
2025-09-02 15:34:04,751 [5912| 9|DEBUG] TwoFactorAuthenticator: Checking for offline tokens: C:\Program Files\Fortinet\FortiAuthenticator Agent\Offline\DOMAIN\USERNAME\134013186178487435.otp
2025-09-02 15:34:04,751 [5912| 9|ERROR] TwoFactorAuthPlugin: AuthenticateUser exception: System.UnauthorizedAccessException: Access denied accessing path 'C:\Program Files\Fortinet\FortiAuthenticator Agent\Offline\DOMAIN\USERNAME\134013186178487435.otp'.

5. The above error indicates an access denied, which is why the offline tokens are not working.
6. To fix the issue, it needs to do the following:

• Install the agent on the Windows machine with a user who has administrative privileges.
• Reconfigure the share secret on the FortiAuthenticator and the Windows agent.
• Making sure that it is the same share secret in both devices, as shown in the following images.
• Make sure the realms are the same in FortiAuthenticator and the Windows agent.

7. Make sure that the offline tokens database will be useful on the agent machine:

• Log in twice on the agent using credentials and normal FortiToken 'Push or manually enter the token'.
• The first login will be to push the offline token database from the FortiAuthenticator to the agent.
• The second login is to synchronize the information between FortiAuthenticator and the agent.
• To verify if offline tokens were synced, go to C:\Program Files\Fortinet\FortiAuthenticator Agent\Offline, then there should be a folder with the name of the realm, and into it a folder with the name of the user that contains offline tokens. 

8. It will be shown at the login page of the agent that offline tokens are available, for 7 days by default; However, it could be modified.

9. To test the offline token, it is necessary to interrupt communication between the agent and FortiAuthenticator to force the use of the offline token.
10. FortiAuthenticator offline token can be used with no issues

Related documents:

Offline token configuration

FortiAuthenticator offline authentication token issue

Technical Tip: How to download FortiAuthenticator Agent log for Microsoft Windows