Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Multifactor authentication (MFA)

Log in to subscribe to topics and get notified when content changes.

Multifactor authentication (MFA)

MFA, also known as two-step verification, is a security requirement that asserts a user enter more than one set of credentials to authenticate to an instance.

The basic level of authentication to an instance is local database authentication where a user enters a username and password combination. MFA gives administrators and users the ability to require a second level of authentication where a user must enter a passcode or token in addition to the password. A mobile application on a user mobile device generates the passcode.
  • Users can require MFA for their own login credentials.
  • Administrators can require MFA for any user login credentials or specific roles.

Supported authentication methods

  • You can use MFA in combination with the following authentication methods:
    • Local Database Authentication (native ServiceNow authentication)
    • LDAP integration

Authentication methods that are not supported

  • MFA is not supported in combination with the following authentication methods:
    • SSO SAML
    • SSO Digest

Administrator MFA authentication flow

Note: If a user performs a password change while MFA is enabled on the user profile, the user does not need to enter the authorization code.
  1. The administrator goes to a user profile or role in the instances and initiates MFA.
  2. The instance displays a QR code and a QC code number.
  3. Using a compatible authenticator, scan the QR code with the authenticator, or manually enter the QC code number in the MFA registration screen.
  4. A TOTP code generates and displays within the authenticator application along with your associated ServiceNow instance name and username.
  5. For every subsequent login, enter the TOTP code generated from your authenticator application in the MFA challenge screen that displays after you enter your username and password.
  6. If the challenge is correct, the user authenticates to the instance.
You can also skip the MFA challenge screen and directly logon to the instance:
  1. You can also append your TOTP code to your password from the initial login screen. If your password is 'XXX' and your TOTP code is '123', you can enter 'XXX123' as your password to skip the MFA challenge screen.
  2. If the username, password, and passcode combination are correct, the MFA challenge screen does not appear and the user directly logs into the instance.


Table 1. MFA FAQs
Questions Answers
What if I do not own a smart phone? If you do not have access to a smart phone, you can use the Chrome browser Authy extension to set up and use MFA. Download and add the extension to your Chrome browser. Then, set up an account and master password with the Chrome extension before you set up MFA with the extension.
I use Firefox instead of Chrome. Is there an Authy plug-in for Firefox that I can use? Currently, Firefox does not support the browser-based Authy plug-in. However, you can install the Authy plug-in through the Chrome browser. You can use the Authy app standalone (without using the Chrome browser) for generating the code to use in Firefox to log on to ServiceNow MFA-enabled applications.
Note: After you install Authy, you must select the Multi-Device option from the Devices section.
What if I do not have a smart phone while logging in? After the initial pairing, if you do not have your smart phone available, you can email yourself a code to log in.
Can I enter the code and my password in one login screen instead of two different screens? Yes. After initial setup, you can enter your password followed by the 6-digit code in the first login screen to log in.
What if I must change devices and re-pair or reenter the code into a different mobile device? Go to your user profile in the ServiceNow instance under My Profile and click multi-factor authentication to get access to the code to reenter and pair your device.
What should I do if my authenticator code obtained from Authy is not working on my computer? Update the preference on your computer to set the time automatically to generate the correct code. If you manually set the time on your laptop, a time difference could cause the codes to fail. After you sync the time on your laptop, the app confirms that the time syncs and you can use your verification codes to sign in.
Note: The sync only affects the internal time of your authenticator app and does not change the date and time settings on your device.
Can I turn it off? No, when an administrator enables MFA, a user cannot disable it.

For help or questions with MFA, contact your ServiceNow administrator.