PingID runs as a cloud service on the PingOne platform. If your users are unable to connect to PingID, they might be prevented from authenticating into your system.

To reduce your potential downtime, you can configure PingID to allow offline MFA, which activates an alternate second-factor authentication process when the PingID service is unreachable.

You can configure PingID offline MFA for the following use cases:
PingID offline MFA when authenticating through PingFederate single sign-on (SSO)
If the PingID service is unreachable, after first-factor authentication:
  1. The user receives a QR code on an offline authentication screen.
  2. After scanning the QR code with their mobile device, the mobile app displays a 6-digit one-time passcode.
  3. The user enters the authentication code on the offline authentication screen to complete offline MFA.
PingID offline MFA when accessing through RADIUS password credential validator (PCV)
If the PingID service is unreachable, after first-factor authentication:
  1. The user receives a 12-digit security key in the VPN client.
  2. The user enters the security key in the PingID app on the user's mobile, and receives a 6-digit authentication code. The code is valid for one-time use.
  3. The user enters the authentication code in the VPN screen and completes offline MFA.
PingID offline MFA when accessing through Windows login
If PingID service is unreachable, after first-factor authentication:
  • The user is prompted to authenticate using a security key or the PingID mobile app in offline MFA mode (manual authentication).

For more information, see Installing the PingID integration for Windows login.

Offline MFA when using the PingID integration with SSH
If the PingID service is unreachable, after first-factor authentication:
  1. The user receives a 12-digit security key in the terminal window.
  2. The user enters the security key in the PingID app on the user's mobile, and receives a 6-digit authentication code. The code is valid for one-time use.
  3. The user enters the authentication code in the terminal window and completes offline MFA.

Prerequisites

  • PingID mobile app 1.8 or later
  • PingFederate 7.3 or later
  • PingID Integration Kit 2.0 or later
  • A user directory to store user device information from PingID. For more information, see User directory for PingID offline MFA.
  • Unlimited Strength Java Cryptography Extension (JCE), which is required for supporting the 256 bit key size for cryptographic algorithms. Without it, the feature will return an exception related to the missing library, and will not function.
Note:
  • PingID offline MFA is compatible with paired mobile devices.
  • Changes to the devices list are updated in the user directory, only when the user authenticates online and regardless of the Authentication during errors mode.
  • If PingID policy rules have been configured, only device requirements are evaluated when authenticating in offline mode.
  • SSO using PingFederate with the PingID adapter: The user must have an active camera on the paired mobile device, and provide the PingID app with permissions to it, in order to be able to scan the QR code.
  • VPN using PingID RADIUS PCV: PingID offline MFA does not support RADIUS VPNs with no challenge.

PingID offline MFA setup and configuration

To set up PingID offline MFA, follow the instructions in Installing the PingID Integration Kit for PingFederate, including its optional PingID offline MFA step.

To configure PingID offline MFA for your situation, see:

To enable offline MFA for the PingID integration with SSH, see Enabling offline MFA in SSH integration.

Incremental upgrade

The PingID offline MFA feature supports an incremental upgrade for the following components:

  • Mobile app: from version 1.8
  • Integration Kit: from version 2.0