- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-12-2025 11:48 PM
Hi everyone, servicenow, is there a function to detect or log the information of the person who logged in using the Authenticator browser extension?
Is there such a module or table?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-13-2025 07:21 AM
Hi @kack l
The sys_user_login_history table has the MFA_enforced column, which can tell you if MFA was used during the login with local/LDAP credentials. Currently, the table does not have information about the MFA method used during the login. We are planning to add the MFA method used column in the Zurich release.
Thanks,
Randheer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-13-2025 05:46 PM
Thanks for your answer, that's great. The customer wants this feature. The sys_user_login_history table has the MFA_enforced column. Is it enforced by the system? Sometimes I don't use MFA authentication and it will show true.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-12-2025 11:57 PM
@kack l OOTB, there is no built-in table or function specifically dedicated to tracking users who logged in using the Authenticator browser extension.
BUT
you can detect and log login activity, including MFA usage, via several ways:
1. syslog table - logs login events, including source IPs, user agents, and session starts.
2. sys_user_session table - Useful for seeing who's logged in right now.
3. sys_mfa_transaction Table - Stores each MFA verification attempt.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-13-2025 12:00 AM
Thanks for your answers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-12-2025 11:58 PM
Hello @kack l,
In ServiceNow, user login tracking is available through the syslog and syslog_transaction tables, but ServiceNow does not provide native visibility into which authentication method (like a browser extension-based MFA) was used — such as Google Authenticator or Microsoft Authenticator browser extension — out of the box.
What You Can Track in ServiceNow
1. User Login Information
ServiceNow records user login attempts in the following tables:
syslog – General logging (including login events).
syslog_transaction – Details of web transactions.
sys_user_session – Shows current and historical user sessions.
sys_user – The user table (who logged in).
Thanks & regards,
Rohan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-13-2025 12:01 AM
Thanks for your answer. I will confirm
