MFA login page and user lock

Puneet Hegde1 · ‎10-18-2024

Dear All,
I'm currently setting up MFA in the instance. we need to make the user has only 3 failed login attempts before locking his profile.
What I'm thinking: create a field(type integer) with a default value of 3. After every failed attempt I will reduce it by 1 and if the user success before it reaches 3 then reset the to the original value. than perform other task like locking out user and force login user with the error popup to contact support team with relevant information.

issue: as we are not using SSO. can anyone know how we can capture failed attempt MFA verification? @mfa @Servicenow

i'm open to ideas and thank you for the help in advance.

Thank you,
Puneet

Ambuj Tripathi · ‎10-20-2024

Hi @Puneet Hegde1

Okay. This property applies to the MFA failures as well as per my knowledge, please check that first. I mean, if you enter the MFA otp for 5 times in a row, your user account gets locked out and it gets unlocked automatically after the number of minutes mentioned in the property. This is available OOB and should work as per your property configurations. I think this is what you are also looking for.

However, if you want to go for your own implementation, once the user MFA validation fails, theres a failure event raised after that which you can read and use as a trigger to execute your own script action as per your use case -
Events which are raised after MFA validatation failure - 'multifactor.auth.token.validation.failed' and 'login.failed'. Login failed is common event which is raised if the Username/pwd login fails as well as MFA validation fails, but 'multifactor.auth.token.validation.failed' event is only raised during MFA validation failure.

Hope this helps!

View solution in original post

Puneet Hegde1 · ‎10-18-2024

Meanwhile, if anyone know where I can find the page and how to edit it? it will be helpful

Ambuj Tripathi · ‎10-19-2024

Hi @Puneet Hegde1

Please checkout this property and script even action which is provided OOB -
https://docs.servicenow.com/bundle/xanadu-platform-security/page/administer/security/task/t_LockoutF...

You can change the property value (glide.user.max_unlock_attempts) to any other value as per your business requirements.

Once the user tries to login with wrong password, it raises the login failed event (sysevent) and based on the this event, the event script action is executed which locks the user if the failed login events are more than the threshhold value specificed in the property.

Puneet Hegde1 · ‎10-20-2024

Dear Ambuj,
I know the property will work on the login page and I'm looking into the process of locking the user when MFA fails. currently, I have a script which will lock the user but I have no idea how to capture invalid MFA input.

Thank you,
Puneet

Ambuj Tripathi · ‎10-20-2024

Hi @Puneet Hegde1

Okay. This property applies to the MFA failures as well as per my knowledge, please check that first. I mean, if you enter the MFA otp for 5 times in a row, your user account gets locked out and it gets unlocked automatically after the number of minutes mentioned in the property. This is available OOB and should work as per your property configurations. I think this is what you are also looking for.

However, if you want to go for your own implementation, once the user MFA validation fails, theres a failure event raised after that which you can read and use as a trigger to execute your own script action as per your use case -
Events which are raised after MFA validatation failure - 'multifactor.auth.token.validation.failed' and 'login.failed'. Login failed is common event which is raised if the Username/pwd login fails as well as MFA validation fails, but 'multifactor.auth.token.validation.failed' event is only raised during MFA validation failure.

Hope this helps!