Who are you? Securing authentication and enforcing password requirements

jlemos
ServiceNow Employee
ServiceNow Employee
‎04-07-2016 10:42 AM

Since the advent of modern computing platforms, passwords have authenticated users to provide access to protected resources. Due to the limitations of human memory or, let's face it outright apathy for security controls, people have tended to pick easy to remember and thus easily guessable passwords. Lucky for you, ServiceNow's security team has your back — let's look at how to beef-up local authentication on your instance with stronger passwords and multifactor authentication.

Multi-factor Aunthenticationin.jpg

 

Enforce Strong Passwords

Customers who utilize standard local authentication (not SSO/SAML or LDAP), ServiceNow avails a number of settings to enforce the use of stronger passwords. You can enforce password length and complexity to ensure stronger passwords.

 

Using installation exits, customers can specify password length and complexity. We provide an installation exit to do just that.

  1. Navigate to System Definition > Installation Exits.
  2. Click on the Installation Exit ValidatePasswordStronger.
  3. Check the Active checkbox.

 

Now that you are enforcing stronger passwords with the Installation Exit, you may customize the rules. By default the installation exit forces a minimum length of 8 characters requiring 1 upper case letter, one lower case letter, and a number. To change the length, edit the variable near the top of the script variable: var min_len=8 to the number of characters appropriate for your organizations security policy.

 

Enable Multi-Factor Authentication

In the Geneva release, ServiceNow introduced multi-factor authentication, or MFA, through the technology standard known as one-time temporary passwords (TOTP). By requiring MFA, a user will enter a username, password and one-time numeric code. The addition of a temporary mathematically generated code greatly reduces the risk of password guessing and brute forcing.

 

The MFA functionality plugin was developed with flexibility in mind. Administrators can enable MFA on a per-user basis or may choose to target specific privileged users. While any TOTP client will work, the most well known implementation of this client is Google Authenticator.

 

To enable multi-factor authentication:

  1. Navigate to System Definition > Plugins
  2. Click on Integration - Multifactor Authentication plugin
  3. Click the Activate/Upgrade link
  4. Scan barcode with TOTP client
  5. Profit!

 

Full instructions can be found on the MFA installation page.

 

Resources

Enforce Strong Passwords

Multi-Factor Authentication

Preview file
69 KB
0 Helpfuls
  • 2,590 Views
3 Comments
Popular Blog Posts