How to reset MFA

makesh · ‎08-19-2020

We have encountered a specific scenarios, where user have already enabled MFA and configured the authenticator apps in their smartphones, but due to some reasons, the app has been deleted in their smartphone or they don't have access to the app.

how to reset the MFA for the user again as an administrator so that they can reconfigure the MFA with new phone/app.

Note:- We have enabled MFA based on roles, so enabling/disabling individual users is not possible, how to overcome this limitation ?

Tony DiRienzo · ‎08-19-2020

The user's MFA token is stored in the User Multifactor Authentication (user_multifactor_auth) table. You can access it using the "User Multi-factor Setup" module in the application navigator, or directly:

https://[your-instance].service-now.com/nav_to.do?uri=user_multifactor_auth_list.do

Find the user's MFA record here. If you just want them to be able to register the existing token to a new app, set "Validated" to false, and they will be presented with the QR code screen at their next login attempt. If you want to revoke the old token and give them a completely new token to register with their app, then delete the MFA record for that user and the system will create a new one and present the QR code at their next login attempt.

View solution in original post

Willem · ‎08-19-2020

What if I must change devices and re-pair or reenter the code into a different mobile device?

Go to your user profile in the ServiceNow instance under My Profile and click multi-factor authentication to get access to the code to reenter and pair your device.

https://docs.servicenow.com/bundle/orlando-platform-administration/page/integrate/authentication/con...

So as an admin you can impersonate and go to the profile of the user:

Like this:

If the user wants to pair again. Just click on the "Click to send one-time passcode" link. This will email the user a one time password that is valid for 10 min. Like this:

Tony DiRienzo · ‎08-19-2020

@Willem

The "Multi-factor Authentication" UI action link is not available when you are impersonating. Please see the condition, specifically this portion at the end:

&& GlideImpersonate().isImpersonating() == false

You would need to change this condition to enable then link while impersonating. (Or, if you don't want to alter that, you could do what I have done in the past: use the browser's javascript console to inject and run the showMultiFactorAuthSettings() function from the UI action.)

Willem · ‎08-19-2020

Ah I did not know that, thank you!

I have marked your other reply helpful. I think if he wants to do it in bulk, that should be the way to go.

If not, just instruct the users to click the link.

Tony DiRienzo · ‎08-19-2020

The user's MFA token is stored in the User Multifactor Authentication (user_multifactor_auth) table. You can access it using the "User Multi-factor Setup" module in the application navigator, or directly:

https://[your-instance].service-now.com/nav_to.do?uri=user_multifactor_auth_list.do

Find the user's MFA record here. If you just want them to be able to register the existing token to a new app, set "Validated" to false, and they will be presented with the QR code screen at their next login attempt. If you want to revoke the old token and give them a completely new token to register with their app, then delete the MFA record for that user and the system will create a new one and present the QR code at their next login attempt.