Use the fail_mode setting in the configuration file to enable offline MFA. This setting can take the following values:

  • restrictive - only online authentication is permitted. If the PingID server cannot be reached, authentication cannot be carried out.
  • passive_offline_authentication - offline authentication is permitted as a backup method if communication cannot be established with the PingID server
  • enforce_offline_authentication - only offline authentication is used
  • permissive - if the PingID server cannot be reached, bypass authentication.
When offline authentication is used, PingID uses information from an encrypted file called .localFallbackDevices in order to generate the twelve-digit number that is shown to the user. The location of this per-user file on the server is specified by the offline_devices_path setting in the configuration file, for example:
offline_devices_path=/home/${username}/.localFallbackDevices
Note: The .localFallbackDevices file is created upon the first successful online authentication with a mobile device. This means that a user can authenticate offline only if they have carried out online authentication at least once.