PingID Administration Guide

Enabling offline MFA in SSH integration

You can modify the settings in the configuration file to enable offline MFA for situations where the PingID MFA service is unavailable. There is also an option to always use offline MFA even when there are no issues that prevent online MFA.

Use the fail_mode setting in the configuration file to enable offline MFA. This setting can take the following values:

  • restrictive - only online authentication is permitted. If the PingID server cannot be reached, authentication cannot be carried out.

  • passive_offline_authentication - offline authentication is permitted as a backup method if communication cannot be established with the PingID server

  • enforce_offline_authentication - only offline authentication is used

  • permissive - if the PingID server cannot be reached, bypass authentication.

When offline authentication is used, PingID uses information from an encrypted file called .localFallbackDevices in order to generate the twelve-digit number that is shown to the user. The location of this per-user file on the server is specified by the offline_devices_path setting in the configuration file, for example:

offline_devices_path=/home/${username}/.localFallbackDevices

The .localFallbackDevices file is created upon the first successful online authentication with a mobile device. This means that a user can authenticate offline only if they have carried out online authentication at least once.