Page created: 10 Nov 2021 |
Page updated: 30 Jan 2022
You can modify the settings in the configuration file to enable offline MFA for situations where the PingID MFA service is unavailable. There is also an option to always use offline MFA even when there are no issues that prevent online MFA.
Use the fail_mode setting in the configuration file to enable offline MFA. This setting can take the following values:
- restrictive - only online authentication is permitted. If the PingID server cannot be reached, authentication cannot be carried out.
- passive_offline_authentication - offline authentication is permitted as a backup method if communication cannot be established with the PingID server
- enforce_offline_authentication - only offline authentication is used
When offline authentication is used, PingID uses information from an encrypted file called .localFallbackDevices in order to generate the twelve-digit number that is shown to the user. The location of this per-user file on the server is specified by the offline_devices_path setting in the configuration file, for example:
Note: The .localFallbackDevices file is created upon the first successful online authentication with a mobile device. This means that a user can authenticate offline only if they have carried out online authentication at least once.