What is the best away to accomplish shared MFA with the ServiceNow admin account?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-22-2022 07:51 AM
We have a requirement that MFA be enabled on local accounts, and this included the primary admin account (System Adminstrator).
The issue I'll expect we'll run into is one person will have to register MFA with their authenticator app, thus being the "keyholder" for that account. This would cause us to have to reach out to that person to get the code.
I'm wondering if anyone has any experience/recommendations when it comes to doing shared MFA, or a better alternative?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-22-2022 08:13 AM
Hi
I absolutely cannot recommend that. You are asking for MFA but what about the password? Isn't it also needed?
In my company we care about many instances of different customers, and therefore we thought it would be a good idea to store the sysadmin password in a central key database. But after a security audit, we had to give up that idea. It is absolutely not allowed to share the credentials to other persons and thus any questions regarding MFA are obsolete. A sysadmin account is bound to ONE person. And not more.
If you need several admin accounts in your instance then create these accounts.
Kind regards
Maik
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-22-2022 09:38 AM
Thanks for the response, Maik.
You make some good points. This would involve credential sharing which is a security issue in itself, and therefore causing compliance flags.
I was mainly operating under the constraint of limiting local accounts as much as possible, but it seems like a necessity to have a local admin account for each person that requires it.
This would be for cases where we can't access SSO, and need an alternative.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-24-2022 10:29 PM
Hi Jon,
The sys admin account should only be used in case all other things fail or as the account to run scheduled jobs, flows, etc. on.
In case the password isn't known, you can reset it through NowSupport (as was stated: sharing credentials is not done). And since the account isn't used to access the instance for development, MfA shouldn't be necessary on that account (nobody knows the password). In case you do need one person to have access to those credentials, you could also check if an email can be triggered instead of using an app or something like that. The MfA code is emailed if you make sure the sys admin account has an email address the user can access, your set.
If my answer helped you in any way, please then mark it as helpful.
Mark
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
