About the behavior of multi-factor authentication (MFA)

kenta yoshida · ‎05-13-2025

Hello,I have a question about the behavior of multi-factor authentication (MFA).

The following settings have been made to perform verification for multi-factor authentication (MFA).

The version is the PDI environment of Yokohama.

1.Multi-factor authentication> Property

Change the property value to true

2.Multi-factor authentication>Multi-factor criteria

Change role-based multi-factor authentication to active

3.Multi-factor authentication>MFA Context

Activate the policy

By default, the Has MFA exempted role policy within the MFA context is set to snc_external.

Therefore, it is expected that users with roles other than this will see a screen to configure multi-factor authentication (MFA) when logging in.

When I tested this in the PDI environment, a user with only the snc_internal role was able to log in without multi-factor authentication (MFA).

Are there any other settings required regarding multi-factor authentication (MFA)?

What I ultimately want to do is test that by setting the snc_internal role to the Has MFA exempted role, users with the snc_internal role can be excluded from multi-factor authentication (MFA).

Randheer Singh · ‎05-13-2025

Hi @kenta yoshida
If you have upgraded your instance from a previous version to Yokohama, every user will get a default 30-day relaxation before MFA is enforced. If you want every user to immediately have MFA, you can update the glide.authenticate.multifactor.self_enrolment_period property to 0.

For more details, please refer to this FAQ KB.
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1709783#mcetoc_3b_timeline_ad...

kenta yoshida · ‎05-17-2025

Hi Randheer Singh.
Thank you for answering my question.
Upon checking the PDI environment, the following properties were set to 0.
・glide.authenticate.multifactor.self_enrolment_period property
Do you think there might be other causes?