'Don't ask for MFA' reverting after 60 mins

SNAdmin47 · ‎03-11-2025

Hi,

We use MFA for external customers which works fine but we've recently noticed that when the 'Don't challenge for MFA on this browser for the next 8 hours' tickbox is ticked it only works for 1 hour, i.e., it won't challenge for MFA for the first hour but will then revert and challenge for MFA after 1 hour has passed. As per the MFA properties product doc I've checked the sys_property 'glide.authenticate.multifactor.browser.fingerprint.validity' and this is set to 8 which should be effective for 8 hours, and the sys_property 'glide.authenticate.multifactor.remember.browser.enable' is also set to true: https://www.servicenow.com/docs/bundle/utah-platform-security/page/integrate/authentication/referenc...

Is anybody able to confirm if this is expected behaviour or if there's potentially something else I can check or refer to to restore the 8 hour MFA fingerprint validity? Our session timeout is set to 60 mins, so I was wondering if that has an impact but it seems unlikely since I've tested on our dev instance and reduced the session timeout to 5 mins and it worked fine.

Many thanks in advance, any help would be greatly appreciated!

Shivalika · ‎03-11-2025

Hello @SNAdmin47

Sure, do let me know.

Kindly mark my answer as helpful and accept solution if it helped you in anyway,

Regards,

Shivalika

My LinkedIn - https://www.linkedin.com/in/shivalika-gupta-540346194

My youtube - https://youtube.com/playlist?list=PLsHuNzTdkE5Cn4PyS7HdV0Vg8JsfdgQlA&si=0WynLcOwNeEISQCY

View solution in original post

SNAdmin47 · ‎03-31-2025

Hi @Ankur Bawiskar My colleague still has an open ticket for it and is still awaiting feedback from the business stakeholders, but we've advised them that from the disparity in our testing with different browsers, and also using different security settings and versions on browsers, we believe this is most likely due to browser configuration.

View solution in original post

Shivalika · ‎03-11-2025

Hello @SNAdmin47

Technically I would say its happening because of session timeout, but since you already mentioned that you tried it out in sub instance and it worked fine.

But I feel behavior maybe different for sub production instances, maybe.

Try deleting this property, obviously after taking backup and creating a fresh one with 8 as value and also, try changing the session timeout for once in prod and check if possible ?

Kindly mark my answer as helpful and accept solution if it helped you in anyway,

Regards,

Shivalika

My LinkedIn - https://www.linkedin.com/in/shivalika-gupta-540346194

My youtube - https://youtube.com/playlist?list=PLsHuNzTdkE5Cn4PyS7HdV0Vg8JsfdgQlA&si=0WynLcOwNeEISQCY

SNAdmin47 · ‎03-11-2025

Hi @Shivalika,

Thanks, good suggestion on temporarily changing the session timeout on prod and re-testing. I'll give that a go to at least discount the potential (or not), and potentially re-create the sys_property.... so thanks again for the suggestion. I'll come back and confirm once I've tested.

Shivalika · ‎03-11-2025

Hello @SNAdmin47

Sure, do let me know.

Kindly mark my answer as helpful and accept solution if it helped you in anyway,

Regards,

Shivalika

My LinkedIn - https://www.linkedin.com/in/shivalika-gupta-540346194

My youtube - https://youtube.com/playlist?list=PLsHuNzTdkE5Cn4PyS7HdV0Vg8JsfdgQlA&si=0WynLcOwNeEISQCY

SNAdmin47 · ‎03-13-2025

I've had someone do a load of testing and there seems to be an inconsistency in the end results depending on the browser being used (Firefox keeps asking for MFA after and hour, whilst Chrome/Edge lasts for appx 6-7 hours), so we suspect this is a browser configuration affected issue rather than a ServiceNow configuration issue. Which is nice because that means I 'can't' do anything about it and it's someone else's problem #winning