Multifactor authentication

Multifactor authentication, also known as two-step verification, is a security requirement that asserts a user enter more than one set of credentials to authenticate to an instance.

The basic level of authentication to an instance is local database authentication—the user enters a username and password combination. Multifactor authentication, in contrast, gives administrators and users the ability to require a second level of authentication—the user must enter a passcode or token in addition to the password. A mobile application on a user mobile device generates the passcode.
  • Users can require multifactor authentication for their own login credentials.
  • Administrators can require multifactor authentication for any user login credentials.

Multifactor authentication supports only the Google Authentication mechanism as the token provider. Users should install the recommended Google Authenticator application to their mobile devices.

Supported authentication methods

  • You can use multifactor authentication in combination with the following authentication methods:
    • Local Database Authentication (native ServiceNow authentication)
    • SSO with the LDAP integration

Authentication methods that are not supported

  • Multifactor authentication is not supported in combination with the following authentication methods:
    • SSO SAML
    • SSO Digest

Authentication flow

Note: If a user is required to perform a password change while multifactor authentication is enabled on the user profile, the user does not need to enter the authorization code.
  1. The user or administrator goes to a user profile in the instances and initiates multifactor authentication.
  2. The instance displays a QR code and a QC code number.
  3. The user takes a photo of the code with the Google Authenticator application on their mobile device, or manually enters the QC code number in the authenticator application..
  4. A passcode is sent to the user's mobile device.
  5. The user enters the passcode to enable multifactor authentication.
  6. The next time the user tries to log in, the user looks at the Google Authenticator application to get the latest passcode.
  7. The user enters the username and password and appends the passcode to the password.
  8. If the username and password + passcode combination are correct, the user is authenticated to the instance.