- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-04-2025 05:30 AM
Hi,
With migrate to Yokohama, users without SSO must enable the MFA.
For some users we want to use the Email Authentication only.
When logging in, the user got the message :
And on the profile page, when clicking on Configure Multi-factor Authentication, Email MFA is not available.
Can you tell us how the user can select Email MFA ?
On MFA Context, the MFA Factor Policies are configured :
Regards,
karine
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-07-2025 11:21 AM
Hi @Karine_M
There are some additional user level checks which are also required.
1: User's email field should not be empty.
2: User level notifications should be enabled for the testing user. ( sys_user.notification = 2)
3: Please check if the email MFA property and adaptive auth property is enabled in the instance (Email MFA - glide.authenticate.multifactor.email.otp.enabled, Adaptive Auth - glide.authenticate.auth.policy.enabled).
4: The Email MFA Factor policy is enabled - https://instance.service-now.com/sys_authentication_policy.do?sys_id=5263ab587761111029fc1646ba5a99a...
Now, if all of the above configurations are correct, then it means the factor policy is evaluating to false for this specific user in the instance.
To verify this, you can enable the adaptive auth debug property in the instance and search with either the Email Factor policy name or policy sys_id. If the policy evaluation result is coming as true, then it wont even show the MFA setup page and it will redirect user to validation page - validate_multifactor_auth_code.do
For the reference, I am putting MFA Factor policy doc link here - https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/authentication/task...
Can you please check above and let me know if the issue still persists. This should fix the issue and take the user to validation page directly. Please try it out and let us know.
Thanks!
-Ambuj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-04-2025 07:00 AM
Hi @Karine_M,
The answer is in the question itself. Although, the email MFA Setup option is not available in the Yokohama release, the admins can still configure the MFA Factor Policy for Email factor to enforce the Email Factor for the specific set of users.
"For some users we want to use the Email Authentication only."
For this set of users, you need to configure the above Email MFA Factor policy in such a way that the policy returns true for such users. The Email Factor policy should be set to active to be effective.
Lets understand it with an example -
I want itil role users to use email factor only.
In this cases, I will create a role filter criteria with itil role (lets say - "hasITILRole"), add this filter to the above poliy as policy input and set "hasITILRole = true" in the policy condition so that the policy returns true for ITIL users.
This will make sure the users which have ITIL role will be directly taken to the validation page and they wont be shown the MFA setup page anymore.
Please let me know if you have any further questions.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-07-2025 05:40 AM
Hi @Ambuj Tripathi,
Thanks for your answer.
In my PDI Instance, I successed to list the email MFA on the first login page :
On my Company instance, the MFA context seems to be the same but I can't see the possibility to received a code by email.
I think a configuration must not be correctly implemented but I don't see any difference between my PDI instance and my company's instance... 😢
regards,
Karine
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-07-2025 11:22 AM
Hi @Karine_M
There are some additional user level checks which are also required.
1: User's email field should not be empty.
2: User level notifications should be enabled for the testing user. ( sys_user.notification = 2)
3: Please check if the email MFA property and adaptive auth property is enabled in the instance (Email MFA - glide.authenticate.multifactor.email.otp.enabled, Adaptive Auth - glide.authenticate.auth.policy.enabled).
4: The Email MFA Factor policy is enabled - https://instance.service-now.com/sys_authentication_policy.do?sys_id=5263ab587761111029fc1646ba5a99a...
Now, if all of the above configurations are correct, then it means the factor policy is evaluating to false for this specific user in the instance.
To verify this, you can enable the adaptive auth debug property in the instance and search with either the Email Factor policy name or policy sys_id. If the policy evaluation result is coming as true, then it wont even show the MFA setup page and it will redirect user to validation page - validate_multifactor_auth_code.do
For the reference, I am putting MFA Factor policy doc link here - https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/authentication/task...
Can you please check above and let me know if the issue still persists. This should fix the issue and take the user to validation page directly. Please try it out and let us know.
Thanks!
-Ambuj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-07-2025 11:21 AM
Hi @Karine_M
There are some additional user level checks which are also required.
1: User's email field should not be empty.
2: User level notifications should be enabled for the testing user. ( sys_user.notification = 2)
3: Please check if the email MFA property and adaptive auth property is enabled in the instance (Email MFA - glide.authenticate.multifactor.email.otp.enabled, Adaptive Auth - glide.authenticate.auth.policy.enabled).
4: The Email MFA Factor policy is enabled - https://instance.service-now.com/sys_authentication_policy.do?sys_id=5263ab587761111029fc1646ba5a99a...
Now, if all of the above configurations are correct, then it means the factor policy is evaluating to false for this specific user in the instance.
To verify this, you can enable the adaptive auth debug property in the instance and search with either the Email Factor policy name or policy sys_id. If the policy evaluation result is coming as true, then it wont even show the MFA setup page and it will redirect user to validation page - validate_multifactor_auth_code.do
For the reference, I am putting MFA Factor policy doc link here - https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/authentication/task...
Can you please check above and let me know if the issue still persists. This should fix the issue and take the user to validation page directly. Please try it out and let us know.
Thanks!
-Ambuj