Email MFA in Yokohama

Karine_M
Tera Guru

Hi,

 

With migrate to Yokohama, users without SSO must enable the MFA.

For some users we want to use the Email Authentication only.

When logging in, the user got the message :

Karine_M_0-1751631589438.png

And on the profile page, when clicking on Configure Multi-factor Authentication, Email MFA is not available.

 

 

Karine_M_2-1751631676168.png

Can you tell us how the user can select Email MFA ?

On MFA Context, the MFA Factor Policies are configured : 

Karine_M_3-1751632077851.png

 

Regards,

 

karine

 

1 ACCEPTED SOLUTION

Ambuj Tripathi
ServiceNow Employee
ServiceNow Employee

Hi @Karine_M 

 

There are some additional user level checks which are also required.

 

1: User's email field should not be empty.

 

2: User level notifications should be enabled for the testing user. ( sys_user.notification = 2)

 

3: Please check if the email MFA property and adaptive auth property is enabled in the instance (Email MFA - glide.authenticate.multifactor.email.otp.enabled, Adaptive Auth - glide.authenticate.auth.policy.enabled).

 

4: The Email MFA Factor policy is enabled - https://instance.service-now.com/sys_authentication_policy.do?sys_id=5263ab587761111029fc1646ba5a99a...

AmbujTripathi_1-1751912438665.png

 

Now, if all of the above configurations are correct, then it means the factor policy is evaluating to false for this specific user in the instance.

To verify this, you can enable the adaptive auth debug property in the instance and search with either the Email Factor policy name or policy sys_id. If the policy evaluation result is coming as true, then it wont even show the MFA setup page and it will redirect user to validation page - validate_multifactor_auth_code.do

AmbujTripathi_0-1751912159751.png

 

For the reference, I am putting MFA Factor policy doc link here - https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/authentication/task...

 

Can you please check above and let me know if the issue still persists. This should fix the issue and take the user to validation page directly. Please try it out and let us know.

 

Thanks!

-Ambuj

View solution in original post

6 REPLIES 6

Ambuj Tripathi
ServiceNow Employee
ServiceNow Employee

Hi @Karine_M,

 

The answer is in the question itself. Although, the email MFA Setup option is not available in the Yokohama release, the admins can still configure the MFA Factor Policy for Email factor to enforce the Email Factor for the specific set of users.

 

"For some users we want to use the Email Authentication only."

 

For this set of users, you need to configure the above Email MFA Factor policy in such a way that the policy returns true for such users. The Email Factor policy should be set to active to be effective.

 

Lets understand it with an example -

I want itil role users to use email factor only.
In this cases, I will create a role filter criteria with itil role (lets say - "hasITILRole"), add this filter to the above poliy as policy input and set "hasITILRole = true" in the policy condition so that the policy returns true for ITIL users.

This will make sure the users which have ITIL role will be directly taken to the validation page and they wont be shown the MFA setup page anymore.

 

Please let me know if you have any further questions.

 

Thanks!

Hi @Ambuj Tripathi,

Thanks for your answer.

 

In my PDI Instance, I successed to list the email MFA on the first login page :

Karine_M_0-1751891588645.png

On my Company instance, the MFA context seems to be the same but I can't see the possibility to received a code by email.

Karine_M_1-1751891900525.png

I think a configuration must not be correctly implemented but I don't see any difference between my PDI instance and my company's instance... 😢

 

regards,

 

Karine

Hi @Karine_M 

 

There are some additional user level checks which are also required.

 

1: User's email field should not be empty.

 

2: User level notifications should be enabled for the testing user. ( sys_user.notification = 2)

 

3: Please check if the email MFA property and adaptive auth property is enabled in the instance (Email MFA - glide.authenticate.multifactor.email.otp.enabled, Adaptive Auth - glide.authenticate.auth.policy.enabled).

 

4: The Email MFA Factor policy is enabled - https://instance.service-now.com/sys_authentication_policy.do?sys_id=5263ab587761111029fc1646ba5a99a...

AmbujTripathi_2-1751912510394.png

 

 

Now, if all of the above configurations are correct, then it means the factor policy is evaluating to false for this specific user in the instance.

To verify this, you can enable the adaptive auth debug property in the instance and search with either the Email Factor policy name or policy sys_id. If the policy evaluation result is coming as true, then it wont even show the MFA setup page and it will redirect user to validation page - validate_multifactor_auth_code.do

AmbujTripathi_3-1751912510394.png

 

 

For the reference, I am putting MFA Factor policy doc link here - https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/authentication/task...

 

Can you please check above and let me know if the issue still persists. This should fix the issue and take the user to validation page directly. Please try it out and let us know.

 

Thanks!

-Ambuj

 

Ambuj Tripathi
ServiceNow Employee
ServiceNow Employee

Hi @Karine_M 

 

There are some additional user level checks which are also required.

 

1: User's email field should not be empty.

 

2: User level notifications should be enabled for the testing user. ( sys_user.notification = 2)

 

3: Please check if the email MFA property and adaptive auth property is enabled in the instance (Email MFA - glide.authenticate.multifactor.email.otp.enabled, Adaptive Auth - glide.authenticate.auth.policy.enabled).

 

4: The Email MFA Factor policy is enabled - https://instance.service-now.com/sys_authentication_policy.do?sys_id=5263ab587761111029fc1646ba5a99a...

AmbujTripathi_1-1751912438665.png

 

Now, if all of the above configurations are correct, then it means the factor policy is evaluating to false for this specific user in the instance.

To verify this, you can enable the adaptive auth debug property in the instance and search with either the Email Factor policy name or policy sys_id. If the policy evaluation result is coming as true, then it wont even show the MFA setup page and it will redirect user to validation page - validate_multifactor_auth_code.do

AmbujTripathi_0-1751912159751.png

 

For the reference, I am putting MFA Factor policy doc link here - https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/authentication/task...

 

Can you please check above and let me know if the issue still persists. This should fix the issue and take the user to validation page directly. Please try it out and let us know.

 

Thanks!

-Ambuj