We would like the option to disable the offline authentication for the Smartphone method. The idea is that if they do not have another method available or Smartphone is not usable (no cell phone connectivity) then they are out of luck.
Furthermore, Smartphone method seemingly combines two different authentications (the push notification and TOTP -- though separate from the other TOTP method.) In the scenario where it is dictated that a push notification is more secure than a TOTP soft token, you cannot stop a person from authenticating via the offline authentication.
This feature has been scoped at 2 week.
We would create a new policy for the smartphone method which control this behavior. Note that when this policy is disabled the user would not be able to perform cached logon via Smartphone.
This will be scheduled for v6.1 or v6.2 based upon timing.