MFA, also known as two-step verification, is a security requirement that users enter more than one set of credentials to access an instance.

The basic level of authentication to an instance is local database authentication where a user enters their user name and password. MFA gives administrators and users the ability to require a second level of authentication.

The second level of authentication can be based on the following:

  • A passcode from an authentication app
  • A hardware key
  • A biometric authenticator, such as a fingerprint reader or facial recognition.
  • An SMS or Email

MFA Options

As an administrator, you can set-up MFA for individual users or all the users in a specific role. You can also enable your users to opt and use MFA.

Activation

The Integration - Multifactor Authentication (com.snc.integration.multifactor.authentication) plugin is installed by default on your instance but must be enabled by an administrator using a system property. For details, see Multi-factor authentication system properties.

Note: After cloning an instance, you must re-enable MFA on the cloned instance. For more information, you can refer these KB articles KB0657100, KB0860689,KB0825390, KB0779908, KB0717367, KB0727991.

Supported authentication methods

You can use MFA with the following authentication methods:

Multi-factor authentication set up workflow

Administrator enables multi-factor authentication

The Integration - Multifactor Authentication (com.snc.integration.multifactor.authentication) plugin is activated on your instance by default. To begin using MFA, administrators must enable MFA using a system property. Once enabled, administrators select users or roles that require MFA logins.

For more detail on administrator set up for MFA, see Multi-factor authentication (MFA).

Users log in using an authentication app

The users are prompted to use MFA options for the log in. Users can choose either of the options to complete MFA and if any user has completed the setup using any one factor, they can still go to their profile page and complete the remaining factors setup if they want to.

Web Authentication

Activate Integration - Web Authentication (com.snc.integration.webauthn) to allow hardware key or biometric reader authentication on your instance.


Hardware key icon

Hardware keys are physical hardware that you can use to authenticate. Hardware keys are inserted into a port on your device to provide authentication. For details on registering hardware keys, see Register a hardware security key.


Biometrics icon

Biometric authenticators use fingerprint or facial recognition to identify users. Your users can use these authenticators on their devices as part of the multi-factor login process. For details on registering biometric authenticators, see Register a biometric authenticator.

SMS or Email (One-time password)

To enable users to log in to a ServiceNow instance and smoother experience on the go, MFA is supported with SMS and Email.


SMS

Admin can configure ServiceNow instance to require users who attempt to login the instance using SMS based OTP.

When users attempt to login to ServiceNow, SMS OTP is sent to the mobile number associated with the sys_user record. User's can enter the six-digit verification code that it sent to the mobile device and verify their identity.

For more information, see Multi-factor authentication with SMS.


Email

Admin can configure ServiceNow instance to require users who attempt to login to the instance using Email based OTP.

When users attempt to login to ServiceNow, Email OTP is sent to the email address associated to the user. User's can enter the six-digit verification code that it sent to the email address and verify their identity.

For more information, see Multi-factor authentication with Email.