Enabling offline MFA in SSH integration
You can modify the settings in the configuration file to enable offline MFA for situations where the PingID MFA service is unavailable. There is also an option to always use offline MFA even when there are no issues that prevent online MFA.
Use the fail_mode setting in the configuration file to enable offline MFA. This setting can take the following values:
-
restrictive - only online authentication is permitted. If the PingID server cannot be reached, authentication cannot be carried out.
-
passive_offline_authentication - offline authentication is permitted as a backup method if communication cannot be established with the PingID server
-
enforce_offline_authentication - only offline authentication is used
-
permissive - if the PingID server cannot be reached, bypass authentication.
When offline authentication is used, PingID uses information from an encrypted file called .localFallbackDevices
in order to generate the twelve-digit number that is shown to the user. The location of this per-user file on the server is specified by the offline_devices_path setting in the configuration file, for example:
offline_devices_path=/home/${username}/.localFallbackDevices
The |