These SSSD offline functionalities is intended to increase performance to not contact the IdM server all the time. I wonder if the timeout can not only set to some seconds but also to go offline with the client.
The same blog post also talks about OTP multistep prompting. But when going offline you do not want to decrease security by just requiring the first factor. This is why privacyIDEA provides the hashed OTP values to the client to be able to authenitcate with two factors while offline.
Admitted, going online again is a bit tricky, since the concept of resynchronizating the offline client with the authentication backend also contains possible attack vectors.
I am curious how SSSD will face this problem.