Configuring MFA, supported methods, and workflow
-
- UpdatedAug 3, 2023
- 4 minutes to read
- Vancouver
- Platform Security
MFA, also known as two-step verification, is a security requirement that users enter more than one set of credentials to access an instance.
- A passcode from an authentication app
- A hardware key
- A biometric authenticator, such as a fingerprint reader or facial recognition.
- An SMS or Email
As an administrator, you can require MFA for individual users or all users in a specific role. You can also enable your users to opt in and use MFA.
Activation
The Integration - Multifactor Authentication (com.snc.integration.multifactor.authentication) plugin is installed by default on your instance but must be enabled by an administrator using a system property. For details, see Multi-factor authentication system properties.
Supported authentication methods
You can use MFA with the following authentication methods:
- Local Database Authentication (native ServiceNow authentication)
- LDAP integration
- SSO SAML
- SSO OIDC
Multi-factor authentication set up workflow
- Administrator enables multi-factor authentication
The Integration - Multifactor Authentication (com.snc.integration.multifactor.authentication) plugin is activated on your instance by default. To begin using MFA, administrators must enable MFA using a system property. Once enabled, administrators select users or roles that require MFA logins.
For more detail on administrator set up for MFA, see Multi-factor authentication (MFA).
- Users log in using an authentication app
Your users are prompted to use an authenticator app the first time they log in. This step is necessary even if your users are going to use biometrics or a hardware key. Users logging in see a QR code that they can scan to quickly set up an authenticator app. This initial login process is detailed in Setup multi-factor authentication on your user profile.
Authentication apps are available as mobile applications. Some authentication apps are available as extensions for desktop browsers for users who do not have access to a mobile device.
- After initial log in, users may configure additional authenticators
After the initial log in, users can register hardware keys or biometric authenticators.
For details on these and other user-side configurations for MFA, see Using multi-factor authentication (MFA).
Web Authentication
Activate Integration - Web Authentication (com.snc.integration.webauthn) to allow hardware key or biometric reader authentication on your instance.
 |
Hardware keys are physical hardware that you can use to authenticate. Hardware keys are inserted into a port on your device to provide authentication. For details on registering hardware keys, see Register a hardware security key. |
 |
Biometric authenticators use fingerprint or facial recognition to identify users. Your users can use these authenticators on their devices as part of the multi-factor login process. For details on registering biometric authenticators, see Register a biometric authenticator. |
SMS or Email (One-time password)
To enable users to log in to a ServiceNow instance and smoother experience on the go, MFA is supported with SMS and Email.
 |
Admin can configure ServiceNow instance to require users who attempt to login the instance using SMS based OTP. When users attempt to login to ServiceNow, SMS OTP is sent to the mobile number associated with the sys_user record. User's can enter the six-digit verification code that it sent to the mobile device and verify their identity. For more information, see Multi-factor authentication with SMS. |
 |
Admin can configure ServiceNow instance to require users who attempt to login to the instance using Email based OTP. When users attempt to login to ServiceNow, Email OTP is sent to the email address associated to the user. User's can enter the six-digit verification code that it sent to the email address and verify their identity. For more information, see Multi-factor authentication with Email. |