How do I configure MFA to offer only Email OTP or only Auth App on first login depending on roles

markholderness · ‎04-08-2025

We have a use case were we want certain users to be only able to use MFA by an authentication App whilst allowing other users to choose Email or authentication App. I have configured MFA to allow email for users for all users except those with the specified roles. The configuration restricts those users with the specified roles to Authentication App only. This is what we want.

However, the issue the user restricted to Authentication App only logs in. They see the Email OTP at that point with the option to set up their authentication App also being displayed.

As these users are restricted to using Authentication App only by the configuration, as can be validated by them initially setting up the Authentication App, I would expect that the only option they would see is the Authentication App one.
The issue is that they can opt on first login to use the Email OTP which allows them to login. However, if they logout and then log back in again they get the following screen that prevents them from logging in at all:

How do I configure the MFA options so that those users restricted, by roles, to using Authenticator App only just get the option to configure their Authentication App on first login? We also need all other users to be offered the option of Email OTP or Authentication App on first login. Although it would be acceptable for those users to be offered just Email OTP on first login and be able to use Authentication App thereafter if they configure their Authentication App via their user profile.

Just to be clear the issue is only what the user is being offered as a factor at initial login. The configuration we have works OK as long as restricted users select Authentication App as the factor at initial login. I just need to prevent the situation of them being able to select Email OTP on first login to prevent issues with their future logins.

Ambuj Tripathi · ‎04-08-2025

Hi @markholderness

I believe you are on X+ releases based on the factors I see on your setup screen.

I went through your use case, we need to tweak the below OOB configurations to get this done -

1) One set of customers to see only Email OTP. To achieve this, you need to setup the OOB MFA Factor policy available in the third tab on the MFA Context page. This factor policy is similar to the main MFA Context policy, except that, if this policy evaluates to true to the user, that user will see the Email OTP validation screen directly and no other factors will be shown to them unless they are going to their profile page and setting it up.

2) For the other set of customers, you want to show them the Authenticator App. For this you need to disable the new setup screen where we see all teh factors using this property - glide.auth.mfa.ui.v2.enabled = false. This property will force the users to setup the MFA using authenticator app as that will be the only option available on the setup screen after disabling this above property. However, similar to the above, these users also can set any other factor available in their profile page like FIDO2.

Please let us know if this is what you were looking for and it solved your use case. Thanks!

View solution in original post

Ambuj Tripathi · ‎04-08-2025

Hi @markholderness

I believe you are on X+ releases based on the factors I see on your setup screen.

I went through your use case, we need to tweak the below OOB configurations to get this done -

1) One set of customers to see only Email OTP. To achieve this, you need to setup the OOB MFA Factor policy available in the third tab on the MFA Context page. This factor policy is similar to the main MFA Context policy, except that, if this policy evaluates to true to the user, that user will see the Email OTP validation screen directly and no other factors will be shown to them unless they are going to their profile page and setting it up.

2) For the other set of customers, you want to show them the Authenticator App. For this you need to disable the new setup screen where we see all teh factors using this property - glide.auth.mfa.ui.v2.enabled = false. This property will force the users to setup the MFA using authenticator app as that will be the only option available on the setup screen after disabling this above property. However, similar to the above, these users also can set any other factor available in their profile page like FIDO2.

Please let us know if this is what you were looking for and it solved your use case. Thanks!

Kristin Acree · ‎05-05-2025

I'm following your directions in a developer instance, but I'm not getting anywhere. I feel like i have it setup correctly, but i keep getting the normal QR code setup MFA screen once logged in.

Is there anything that has all the settings/directions for this?

Ambuj Tripathi · ‎07-08-2025

Hi @Kristin Acree

Sorry, I didn't notice your question. Can you please let me know the version of your developer instance if you are still facing the issue?

This is the reference document you may want to look at to get the idea of how to set the MFA factor policy for Email factor.

https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/authentication/task...

markholderness · ‎04-08-2025

Thanks Ambuj, That's exactly what I needed.