It will only be specific to Windows login

I've tested it just now, my steps were: 1) Configure offline token between agent + FAC, then succesfully login with "testuser2" 2) logout, now when I type in the username with exactly this syntax "testuser2", it shows a timestamp 7 days from today. 3) Now I turn off the FAC, and I can still successfully login with my token like normally (except push doesn't work, but that's expected because FAC is down, so manually type 6 digit code). I assume if I wait for 7 days then it will fail the login. Seems like a realistic option in theory, if you ensure that users can access FAC internally and publicly (ie. if you only have FAC accessible internally then if someone does WFH for more than 10 days then offline token will stop working). Just need to make sure timestamps are accurate between machine and FAC. Probably would be something to run for a few weeks on a few willing participant's machines, especially since this affects a users Windows login. SAML might be a good consideration/alternative because it's post login, but caveat is it requires every app that you want to integrate with it to have SAML SP support. It seems a bit cleaner to me though because it doesn't affect login.

Hi, you can check Logging > Log Access > Logs and see if anything shows up while you test. Also try to check that your Windows computer has the same timestamp as the FortiAuthenticator system time.

Not sure as I have not tested that scenario, feel free to try and let us know! Thx!

Take a look at this video kzbin.info/www/bejne/gHfSgYuXiZiAe5I probably best to get comfortable with the Active Directory User + FortiToken association portion of the video I've linked above, then move on to the Windows Login portion.