Multi-factor authentication (MFA) is a critical part of securing enterprise access, and at ServiceNow, we continue to evolve our platform to give customers more flexibility and stronger assurance options. With the Zurich Release, we’ve expanded MFA factor policy support to include FIDO2/passkey-based authenticators, giving organizations a powerful new way to enforce high-assurance authentication.
Adaptive Authentication in ServiceNow
ServiceNow’s adaptive authentication allows customers to dynamically enforce MFA based on conditions such as user role, group, authentication method, network, or location.
In addition, customers can configure MFA factor policies to define which authentication method should be used for specific user groups or scenarios. This ensures the right level of assurance is applied to the right personas.
For example:
- You may allow low-privileged users to authenticate with email OTP or SMS OTP, since they are easy to use and require minimal setup.
- At the same time, you may require high-privileged users to authenticate with stronger methods like FIDO2 authenticators, ensuring stronger protection for sensitive actions.
What’s New in Zurich
Until now, MFA factor policy support was limited to email OTP and SMS OTP. With Zurich, ServiceNow has expanded this capability to include FIDO2/passkey authenticators.
This enhancement allows customers to:
- Require users to authenticate with FIDO2/passkeys when MFA is triggered.
- Enforce higher authentication assurance levels for admins, developers, or other privileged roles.
- Apply stricter authentication methods for high-risk login attempts from untrusted networks or unusual locations.
Example Use Cases
Here are some ways customers can take advantage of this new capability:
- High-Privileged Roles
- Require system administrators to use only FIDO2 authenticators.
- Disallow weaker MFA methods such as email OTP for these accounts.
- High-Risk Access Scenarios
- When a login attempt comes from an untrusted network or suspicious location, enforce FIDO2-based MFA.
- Ensure users go through the highest level of authentication assurance before accessing critical data.
How It Works
- An administrator creates/updates an MFA factor policy for FIDO2.
- When a user meets the conditions of the policy (e.g., belonging to an admin role or logging in from an untrusted network), ServiceNow will enforce FIDO2-based authentication.
- If the user has not yet enrolled in FIDO2, they will be prompted to complete enrolment before proceeding.
Here is the flow diagram to explain FIDO MFA factor policy enforcement.
Why This Matters
With Zurich, organizations now have finer-grained control over MFA, enabling them to:
- Reduce risk by mandating stronger authenticators for sensitive accounts.
- Balance usability and security by applying lighter methods (SMS/email OTP) where appropriate.
- Align with industry best practices that recommend phishing-resistant authenticators such as FIDO2.
This release marks a significant step forward in helping customers adopt a default secure posture while tailoring MFA policies to their unique risk and user personas.
Learn more: Configuring MFA with FIDO2 as a factor (Zurich Documentation)
