We've updated the ServiceNow Community Code of Conduct, adding guidelines around AI usage, professionalism, and content violations. Read more

How do I configure MFA to offer only Email OTP or only Auth App on first login depending on roles

Go to solution
MARKHOLDERN
Tera Contributor

‎04-08-2025 12:11 AM

We have a use case were we want certain users to be only able to use MFA by an authentication App whilst allowing other users to choose Email or authentication App. I have configured MFA to allow email for users for all users except those with the specified roles. The configuration restricts those users with the specified roles to Authentication App only. This is what we want.

 

However, the issue the user restricted to Authentication App only logs in. They see the Email OTP at that point with the option to set up their authentication App also being displayed.

 

markholderness_0-1744095295280.png

As these users are restricted to using Authentication App only by the configuration, as can be validated by them initially setting up the Authentication App, I would expect that the only option they would see is the Authentication App one.
The issue is that they can opt on first login to use the Email OTP which allows them to login. However, if they logout and then log back in again they get the following screen that prevents them from logging in at all:

markholderness_1-1744095576837.png

How do I configure the MFA options so that those users restricted, by roles, to using Authenticator App only just get the option to configure their Authentication App on first login? We also need all other users to be offered the option of Email OTP or Authentication App on first login. Although it would be acceptable for those users to be offered just Email OTP on first login and be able to use Authentication App thereafter if they configure their Authentication App via their user profile.


Just to be clear the issue is only what the user is being offered as a factor at initial login. The configuration we have works OK as long as restricted users select Authentication App as the factor at initial login. I just need to prevent the situation of them being able to select Email OTP on first login to prevent issues with their future logins.


  • 3,002 Views
1 ACCEPTED SOLUTION

Go to solution
Ambuj Tripathi
ServiceNow Employee

‎04-08-2025 03:54 AM

Hi @MARKHOLDERN 

 

I believe you are on X+ releases based on the factors I see on your setup screen.

I went through your use case, we need to tweak the below OOB configurations to get this done - 

1) One set of customers to see only Email OTP. To achieve this, you need to setup the OOB MFA Factor policy available in the third tab on the MFA Context page. This factor policy is similar to the main MFA Context policy, except that, if this policy evaluates to true to the user, that user will see the Email OTP validation screen directly and no other factors will be shown to them unless they are going to their profile page and setting it up.

2) For the other set of customers, you want to show them the Authenticator App. For this you need to disable the new setup screen where we see all teh factors using this property - glide.auth.mfa.ui.v2.enabled = false. This property will force the users to setup the MFA using authenticator app as that will be the only option available on the setup screen after disabling this above property. However, similar to the above, these users also can set any other factor available in their profile page like FIDO2.

 

Please let us know if this is what you were looking for and it solved your use case. Thanks!

View solution in original post

6 REPLIES 6

Go to solution
valesky
Tera Contributor

2 weeks ago

Hello, I have the same need- I want the users have the only option of EMAIL OPT and not Authenticator opt.

In the MFA context, in the tab MFA Factor policy I removed Fido2 Policy and SMS policy , and i Left only Email polici OOB, but stuill the when the user try to acces, the prompt for aurthenticator is shown.

Can you please help

0 Helpfuls

Go to solution
Ambuj Tripathi
ServiceNow Employee
In response to valesky

2 weeks ago

Did you set the MFA Factor policy for email factor properly?
That policy should have some inputs and use those inputs to craft your condition.

For ex, add input type Role Filter Criteria as has SNC internal Role.
And then create the policy condition as

       has SNC internal Role = true

 

This will evaluate the user's roles and if user has snc internal role, it would directly show them the email MFA validation page and not the TOTP one.

 

https://www.servicenow.com/docs/r/platform-security/authentication/configure-mfa-factor-policy-with-...

 

Cheers!

0 Helpfuls