Enforce multi-factor authentication (MFA) based on the IP Network

Randheer Singh · ‎10-05-2023

Introduction

Multi-factor authentication (MFA) is a security measure that requires users to provide two or more factors to verify their identity when logging in to an account. This helps to protect accounts from unauthorized access, even if an attacker has compromised the user's password.

While MFA is important for all users, it is especially important for users who access company resources from outside the company network. This is because users outside the company network are more likely to connect over public Wi-Fi networks, which are less secure than private networks.

Dynamically enforcing MFA when a user logs in from outside the company network is a great way to improve security without sacrificing user convenience. By using a variety of signals, such as the user's IP address, location, authentication method, identity provider attributes, roles, and group, you can automatically determine whether or not to require MFA.

In this blog, we will see how we can use adaptive authentication to dynamically enforce MFA for users accessing the instance outside the trusted network. Before that, let’s quickly recap ServiceNow's Adaptive authentication capabilities. If you are already familiar with it, you can skip to the step-by-step guide.

Adaptive Authentication

Adaptive authentication is a policy framework to facilitate the enforcement of contextual authentication controls to the right persona at the right time. ServiceNow adaptive authentication policies let an admin create custom access policies based on role, device, IP, location and many other contextual factors.

Pre-Authentication Policy Context

With the current Adaptive Authentication feature, an admin can enable a pre-auth policy to allow or disallow ServiceNow instance access to a provided IP range. Example use cases:

IP perimeter-based control: Admins can define a trusted IP network and add conditions to allow instance access only from the devices connected through the defined trusted network. All incoming traffic to the instance (user interactive, web, mobile app or non-interactive API access) will be blocked (HTTP 403/404) if the request originates outside that trusted network.
Similarly, Admins can define a policy to block all incoming traffic from a given IP range.
Location-based controls: In the Vancouver release, we are introducing location (country) based controls. Admin can define a list of countries where access to the instance is allowed/disallowed.

Pre-auth policy gets executed before the user sees the instance or the login page. Due to this, user context-related conditions can not be added to the pre-auth policies. Only IP network-related conditions can be added to the pre-auth policy. This capability is available from the Rome release onwards. Please refer to this product documentation for more details.

In the Tokyo release, we introduced a capability allowing admins to access an instance from a trusted ServiceNow mobile app, even when the device is not connected to a trusted network. Details here.

Post-Authentication Policy Context

The post-authentication policy gets executed after successful user authentication. So admins can add user context(roles/group membership) and authentication method in the policy conditions. Admins can enforce a specific authentication scheme/Identity Provider for a set of users based on requirements.

Example use cases:

Allow external users (CSM users, partners, new hires or Alumni) to log in from any network, but allow employees to log in only from a trusted corporate network.
Allow external users to log in with username/password (basic authentication ) based login, but allow only SSO-based authentication for employees.

Post-authentication policy is only executed for user interactive logins. Post Authentication policy is not enforced for API/non-interactive/web service access. This capability is available from the Rome release onwards. Please refer to this product documentation for more details.

MFA Context

MFA context policy gets executed after successful 1st-factor user authentication. So admins can add user context(roles/group membership) and authentication method in the policy conditions along with IP and location. Please refer to this product documentation for more details.

Example use cases:

Dynamically force MFA for all local login attempts
Force MFA for users logging in from outside the trusted network
Force MFA for users logging in from specific countries.
Force MFA for privileged users like admins and scoped app admins.

Step-by-step guide to enable MFA for users logging in from outside the trusted network.

Activate plugin

Install the plugin Adaptive Authentication (com.snc.adaptive_authentication).

Configure MFA Policy

If you do not already have an active MFA context policy, as a first step, we will configure an adaptive authentication (AA) policy to enforce MFA dynamically. We can either use the existing step-up MFA policy or create a new policy and associate it with the MFA context.

Using an AA policy, an admin can enforce MFA dynamically based on network (IP address), role, and group membership. Please refer to this documentation to learn more about the MFA context policy.

From this use case perspective, we will create a policy for enforcing MFA for all users accessing the instance outside the trusted network.

Step 1. Create an IP filter criteria and define the trusted network.

Trusted network

Note: IP filter criteria can be created automatically by importing from IP access control IP ranges.

Step 2. We will add this filter criteria to an existing AA policy (Step-Up MFA Policy).

Step 3: Now, we will add a condition in the Step-Up MFA Policy to enforce MFA when the user logs in outside the trusted network. We will also set the policy as active

Step 4: Finally, we will activate this policy and associate it with the MFA context record with the default policy field selected as “Step-Up MFA policy.”

Step 5: We also need to enable the Adaptive authentication property.

Open Adaptive Authentication > Properties
Adaptive Authentication -> Authentication Policies -> Properties
Enable the following properties.
- Enable Authentication Policy

Upon completing this step, users doing local login outside the trusted network will start seeing the MFA enrollment screen.

Note: By default, we do not enforce MFA for SSO logins. However, if the admin wants to enforce ServiceNow MFA for SSO login attempts, they can use the MFA with SSO feature. Here is the documentation.

We also recommend enabling Integration - Web Authentication (com.snc.integration.webauthn) plugin to allow users to use FIDO2-based authenticators, hardware security keys and Passkeys. FIDO2 provides phishing-resistant MFA support with a best-in-class user experience.