---
title: Enabling offline MFA in SSH integration
description: You can modify the settings in the configuration file to enable offline MFA for situations where the PingID MFA service is unavailable. There is also an option to always use offline MFA even when there are no issues that prevent online MFA.
component: pingid
page_id: pingid:pingid_integrations:pid_enabling_offline_mfa_in_ssh_integration
canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_enabling_offline_mfa_in_ssh_integration.html
revdate: April 10, 2024
---

# Enabling offline MFA in SSH integration

You can modify the settings in the configuration file to enable offline MFA for situations where the PingID MFA service is unavailable. There is also an option to always use offline MFA even when there are no issues that prevent online MFA.

Use the *fail\_mode* setting in the configuration file to enable offline MFA. This setting can take the following values:

* *restrictive* - only online authentication is permitted. If the PingID server cannot be reached, authentication cannot be carried out.

* *passive\_offline\_authentication* - offline authentication is permitted as a backup method if communication cannot be established with the PingID server

* *enforce\_offline\_authentication* - only offline authentication is used

* *permissive* - if the PingID server cannot be reached, bypass authentication.

When offline authentication is used, PingID uses information from an encrypted file called `.localFallbackDevices` in order to generate the twelve-digit number that is shown to the user. The location of this per-user file on the server is specified by the *offline\_devices\_path* setting in the configuration file, for example:

```
offline_devices_path=/home/${username}/.localFallbackDevices
```

|   |                                                                                                                                                                                                                                      |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | The `.localFallbackDevices` file is created upon the first successful online authentication with a mobile device. This means that a user can authenticate offline only if they have carried out online authentication at least once. |