ServiceNOW ACR user without Multifactor authentication possible?

Roelof Strydom · ‎05-25-2022

Good day all,

It is possible to setup a ACR Admin user with out multi-factor authentication?

The reason for my question is that we are a global operation and I need to setup an account for ACR in the event of SSO failure, but we do not want link the MFA to a certain users mobile, I am sure this is understandable.

I did setup up MFA on my personal device and it work as expected, I then tried disabling MFA on the account but then I am not able to login via the /side_door.do or /login.do URL. Just get a Username and password is incorrect.

We have a password vault where the user details will be stored and accessible to all the necessary admins but the issue is with MFA.

Regards

Ian Ma · ‎05-25-2022

Disable ACR and MFA and just have local users. That would be no different to what you are asking.

Roelof Strydom · ‎05-29-2022

Hi Ian,

This will unfortunately not be possible as we are using SSO to login to SN.

My question is more pointed to "IF" I can disable MFA on a ACR user as we do not want only 1 user to have access via an authenticator app, if this makes sense. If I am away on holiday and they need to access the ACR account this will be an issue.

Regards

Ian Ma · ‎05-30-2022

ACR is not tied to a single phone authenticator or a single user. This bit is confusing and not well articulated in the product doco. In fact you can set up multiple users with multiple MFA. The only requirement is that the user has to have administrator role. Give it a try. impersonate an admin user, go to its profile, then click on the enable ACR related link.

Ian Ma · ‎05-30-2022

To answer your question. I don't believe you can disable MFA and continue to use the ACR feature. As I mentioned before, your most probable option is to:

disable ACR & MFA and allow local user login together with SSO.
You will of course need to police local account usage yourselves.

There might be some code hack and such, which I'm curious to know as well however I think you may have missed out on some information.

ACR is not tied to a single user or the user's MFA. In fact you can have multiple users with multiple MFA configured. See below:

This part is not well articulated in the product doco, it gives the impression that you can only enable one user account as the recovery user. This is not true, you can make any admin user into an ACR user.

Hope it helps.

P.S If you are sharing an admin account between people, well I don't know what to say really, but it seems kinda self-defeating since your organisation enforces security practices.