Locked-out of your Mac by Duo Push when network's down?

Before we start...

I have no idea why anyone would ever need to do or would find this useful - unless likely me (1) you own the Mac in question; and (2) you are the person who put Duo Push Logon on it - because like me you are paranoid or because you followed my other blog post:

What this is for:

When your Mac is protected by Cisco Duo MFA and you’re locked out due to network connectivity issues. This tutorial will guide you through enabling offline OTP authentication.

What you will need:

This procedure requires physical access to the Mac and 2 sets of credentials:
1. Administrator username and password, and
2. FileVault encryption password.

You’ll also need the registered OTP device (like Google Authenticator or Duo Mobile) you (or the user) registered with Duo to generate offline codes.

Step 1: Boot into Recovery Mode

Power off your Mac completely, then press and hold the power button until you see “Loading startup options” appear (if you have a M-series Mac) and then click "Options" or press Cmd+R until the Apple logo shows up (for Intel Macs).

When prompted, select an administrator account and enter its password to proceed.

Step 2: Disable System Integrity Protection

Open Terminal from the Utilities menu at the top of the screen. Run: csrutil disable

The system will display a confirmation message that SIP has been disabled. If prompted, reboot and get back into the recovery mode terminal.

Step 3: Identify and Mount System Volumes

List all available volumes by running: diskutil list

Look through the output to identify your system’s data volume, typically labeled Data with format APFS Volume. Note the disk identifier (it will look like  /dev/disk3s5  or similar).

Unlock and mount that data volume using these commands, replacing  diskXsY  with your actual disk identifier:

diskutil apfs unlockVolume /dev/diskXsY

Enter your FileVault password when prompted. Then mount the volume:

diskutil mount /dev/diskXsY

Step 4: Modify Duo Configuration

Navigate to the Duo configuration directory:

cd /Volumes/Data/private/var/root/Library/Preferences/

Modify the Duo configuration file to enable fail-open mode:

plutil -replace fail_open -bool true com.duosecurity.maclogon.plist

This command changes the fail_open  parameter to true , allowing the system to fall back to offline OTP verification when Duo Push is unavailable.

Step 5: Re-enable System Integrity Protection
Re-enable SIP immediately with: csrutil enable and then verify with csrutil status

Step 6: Reboot and Authenticate
Restart the system and at the login screen, enter your password as usual. When prompted for second-factor authentication, you should now be able to use your OTP code from your authenticator app instead of waiting for a push notification.