Bypass Multi-factor Authentication (MFA) based on IP Addresses

Maik Skoddow
Tera Patron
Tera Patron

on ‎12-03-2021 09:29 PM

find_real_file.png

At the Community the question arises again and again whether the multi-factor authentication can be bypassed under certain circumstances. For example users would like to log in directly and without MFA when they're accessing the ServiceNow instance from a secure (company) network. In fact, it is possible to implement such exceptions using the Adaptive Authentication feature of ServiceNow and this article describes what configurations are necessary to realize that scenario.

        
Table of Rules

 

This article only addresses the absolutely necessary aspects of Adaptive Authentication. A comprehensive introduction to this topic can be found in a blog post by @Daniel Garcia Martinez  

 

 

Install and configure Adaptive Authentication

(1) Go to System Definition > Plugins and search for the plugin with ID com.snc.adaptive_authentication and install it. If this plugin is already installed, you can skip this.

 

find_real_file.png

 

(2) Navigate to Adaptive Authentication > Authentication Policies > All Policies, enable column "Active" and disable all policies except "Step down MFA policy". This policy needs to be "Active=true". Later, if you are more familiar with adaptive authentication, you can add/activate additional policies to fit any security requirements.

 

find_real_file.png

 

(3) Open the properties page of the adaptive authentication application and activate it by ticking the first checkbox. Don't forget to save that properties page!

 

find_real_file.png

 

 

Configure MFA Context

The MFA context determines whether a user must provide a second form of authentication when logging in. There are two strategies for applying the MFA:

  • Step-Up MFA Policy: No MFA is activated by default and MFA is enforced to users when the policy conditions evaluate to true.
  • Step-Down MFA Policy: Enforces MFA by default. MFA is not enforced only when the policy conditions evaluate to true.

(1) Navigate to Adaptive Authentication > MFA Context, select at "Default Policy" the value "Step-Down MFA Policy" and save the record. If a confirmation dialog appears, you can click on "Ok".

 

find_real_file.png

 

(2) Open the "Step-Down MFA Policy" record.

 

find_real_file.png

 

(3) In the related list "Policy Inputs" click on "New".

 

find_real_file.png

 

(4) In the next screen select "IP Filter Criteria"

(5) Enter a suitable name and specify the IP address ranges which are allowed to bypass the MFA and click "Submit"

 

find_real_file.png

 

(6) Back at the "Step-Down MFA Policy" record click on "New" at the related list "Policy Conditions".

 

find_real_file.png

 

(7) Enter a suitable name, select the previously created IP filter criteria at the "Condition" field and choose "is true". Then "Submit" the record.

 

find_real_file.png

 

(8) Back at the record remove any OOTB "Policy Conditions" by selecting the records and selecting "Delete" from the list menu at the bottom:

 

find_real_file.png

 

(9) Remove any existing OOTB "Policy Inputs" by selecting the "Edit" button at the respective related list and moving the OOTB Policy Inputs to the left side. Then save the selection.

 

find_real_file.png

 

 

Activate and test MFA

(1) If not already active, open the properties page of the multi-factor authentication application and activate it by ticking the first checkbox. Don't forget to save that properties page!

 

find_real_file.png

 

(2) Log in to your instance from with in the specified IP range. You should not be forced to register an MFA device or to enter the MFA code. Then try to log in from another network, for example via a mobile device (without a company VPN). Now you should get a screen for registering an MFA device or, if already done, for entering the MFA code.

 

Preview file
63 KB
Preview file
25 KB
Preview file
58 KB
Preview file
28 KB
Preview file
34 KB
Preview file
367 KB
Preview file
79 KB
Preview file
44 KB
Preview file
30 KB
Preview file
36 KB
Preview file
37 KB
Preview file
49 KB
Preview file
38 KB
  • 9,515 Views
Comments
threatangler
Tera Contributor
‎03-16-2024 03:26 AM

Thank you for the article. We have the below requirements. How would we achieve this? 


  • By default, any user with the admin role should have MFA enforced and we do this via the multi-factor criteria configuration
  • Some accounts requiring the admin role do not belong to a human who can input a second factor. They are used for an integration for example. We will call this a service account. 
  • We need to disable MFA for these service accounts but limit their ability to authenticate from specific IP addresses

We have tried using adaptive authentication but we cannot combine both role (or group) AND IP address together to disable MFA. Because the system does not know what group or role the user is in until they have passed MFA. 

 

We appreciate your suggestions for this use case. 

0 Helpfuls
Randheer Singh
ServiceNow Employee
ServiceNow Employee
‎03-16-2024 03:51 AM

Hi @threatangler ,

On the integration account, please enable the Web Service Access Only flag. This will ensure that when you enable the MFA context Policy for admin users, it does not impact integrations.
For enforcing IP restrictions on APIs and this integration account, please use the API access policy feature. 

On a side note: As a security best practice, please consider having an integration account with lesser privileged roles. Admin role gives way too much access and is always a big risk.

Thanks,

Randheer

0 Helpfuls
FernandoUrrutia
Tera Contributor
‎07-15-2025 01:56 PM

You have test your internal user to integration? Do it!

0 Helpfuls
Version history
Last update:
‎12-03-2021 09:29 PM
Updated by:
Tera Patron