Enforced multifactor authentication (MFA): What you need to know

Amanda Grady
ServiceNow Employee
ServiceNow Employee
‎12-19-2024 02:04 PM

I’m excited to announce that with the upcoming Now Platform Yokohama release, ServiceNow will be enforcing multifactor authentication (MFA) as a default security measure for all internal users who log on without single sign-on (SSO). This is part of our ongoing commitment to enhance the security of customer accounts and protect their valuable data from unauthorized access.

MFA requires users to provide two or more forms of verification before they can access an account or system. ServiceNow offers a wide range of MFA options, including:

  • Passkeys
  • Authenticator apps such as Google Authenticator
  • Hardware security keys such as YubiKey
  • Biometric authenticators such as:
    • Face ID
    • Touch ID
    • Windows Hello
  • Email and text/SMS one-time passwords

How does MFA help?

Implementing MFA adds an extra layer of verification to user accounts and helps ensure our customers’ ServiceNow instances meet the highest security standards.

There’s been a year-over-year increase in attacks using stolen credentials, according to IBM’s X-Force Threat Intelligence Index know it’s difficult to distinguish activity between a legitimate login and a compromised login.

Although the majority of our customers use SSO to log on to ServiceNow, most also retain a local login—for admins, for example. MFA significantly reduces the risk of unauthorized access—even if a password is compromised—by up to 99%, according to the U.S. Cybersecurity and Infrastructure Security Agency.

While MFA has been a part of ServiceNow for a while, requiring MFA for all local login users is a crucial step to help our customers protect themselves by default. This change aligns ServiceNow with industry standards and best practices, reflecting our commitment to safeguarding customer data.

AmandaGrady_0-1734645233916.jpeg

 

How does MFA affect ServiceNow customers?

For existing customers upgrading to the Now Platform Yokohama release, if your ServiceNow instance doesn’t already have an active MFA policy, a default MFA policy will be automatically enabled.

That means that for the first 90 days following the upgrade to the Yokohama release, all internal users (users without snc_external role) logging in with local or LDAP (network-based—e.g., Active Directory credentials) authentication will need to set up MFA within 30 days of their first successful login.

During this period, users can log in normally but will see a message prompting them to enroll in MFA. After 30 days, MFA will be required by default and users will not be able to log in without completing the MFA setup.

Since the Now Platform Xanadu release, we’ve made it even easier to set up MFA by enabling passkeys to be registered and used directly, without requiring users to download an authenticator app.

For new customers, MFA will be active by default from day 1 for all internal users logging in with local or LDAP authentication. This helps ensure accounts are protected from the moment customers start using the ServiceNow platform.

 

How to get started with MFA

To comply with the new MFA enforcement mandate, users will need to set up MFA within the specified time frame. This involves enrolling in one or more verification methods, such as an authenticator app, biometric authentication, and hardware security keys.

We recommend enrolling in multiple MFA factors to help prevent being locked out of your accounts. For example, you can set up both an authenticator app and a biometric authenticator for added security. Admins can also adjust the MFA enforcement timeline and provide a smaller or larger self-enrollment window by updating the relevant system properties.

By taking these steps, you’ll be contributing to a more secure and resilient digital environment for everyone on the ServiceNow platform.

 

Can I disable MFA?

Although it’s technically possible to configure exceptions to this MFA policy, we strongly advise against doing so and recommend consulting your security team first.

Allowing exceptions would potentially weaken the overall security framework, exposing your accounts to greater risks. Mandating compliance with the MFA requirements helps organizations take a proactive stance on safeguarding their data and maintaining the highest security standards.

 

How should I prepare for enforced MFA?

Don't wait until the Now Platform Yokohama release to start protecting your accounts. Begin enforcing MFA today ahead of this upgrade.

By setting up MFA requirements now, you can help ensure your users are secure and prepared for the upcoming changes. Review our documentation on how to configure MFA policies in your instance.

 

Find out more about how ServiceNow prioritizes data security.

  • 10,041 Views
6 Comments
saurabhtane
Tera Explorer
‎02-10-2025 08:24 PM
‎02-10-2025 08:24 PM

Hey @Amanda Grady 

Thank you for providing detailed information. How are we going to manage the Service Accounts here?

0 Helpfuls
BriBos
ServiceNow Employee
ServiceNow Employee
‎02-11-2025 05:52 AM
‎02-11-2025 05:52 AM

This only applies to UI local logins so service accounts will not be affected. 

saurabhtane
Tera Explorer
‎02-11-2025 06:57 AM
‎02-11-2025 06:57 AM

Thank you @BriBos 

0 Helpfuls
M2A
Tera Contributor
‎04-22-2025 10:34 PM
‎04-22-2025 10:34 PM

Can i set "Email Authentication" as default authentication on the very 1st page for my domain project only in a domain separate instance?

Like suppose once i come into login page, after giving password, i get the screen where i should get email authentication as the default authentication for my domain.

0 Helpfuls
sebastianschmid
Tera Contributor
‎05-09-2025 12:41 PM
‎05-09-2025 12:41 PM

Our understanding, right after upgrading to Yokohama internal users who log on without single sign-on are forced right after login, with the option to postpone.
I've upgraded one instance, MFA already enforced for admins or for particular users via sys_user.enable_multifactor_authn,
for other internal I was still able to login.do without getting a MFA dialog.

To exclude could caused by any customizations, and since since KB1709783 says
"Yes. MFA will be enforced for all developer instances that are on Yokohama or later release versions."
I requested a fresh Yokohama P2 instance, but MFA was not enabled at all.
Enabling manually, but without sys_user.enable_multifactor_authn, or customizing multi_factor_criteria or enabling glide.authenticate.auth.policy.enabled, normal user "snc_internal" or "itil" role user still not enforced, nor seeing the described info messages e.g. in the user profile (with the new display BR Show MFA enforcement message in profile).
Did someone get it running ?

0 Helpfuls
Ambuj Tripathi
ServiceNow Employee
ServiceNow Employee
‎07-11-2025 09:35 PM
‎07-11-2025 09:35 PM

@M2A - You can do so by using Email MFA factor policy - https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/authentication/task....

 

@sebastianschmid - Yes, after upgrade to Y, MFA would be enforced, but there is a provision of self -enrolment of 30 days, during which users will see the info msgs about the MFA Enforcement. The end users who aren't already enforced with MFA during local login, can self -enrol themselves during this period and once this period is over, it will enforce them the MFA during the local login. This period can be changed as per the business requirements. That is the reason you weren't getting the MFA immediately.

Please go through the below KBs for more details - 

Concise KB about MFA Enforcement - KB1700938 

Detailed FAQ KB About MFA Enforcement - KB1709783 

0 Helpfuls