Use single authenticator app for MFA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Friday
Hi,
We have enabled all MFA authentication methods. However, we want to allow only a single authenticator app (e.g., Google Authenticator) and restrict all others.
The instance is in the cloud, with no additional restrictions such as IP or network controls.
Note: we do not want to use a trusted device policy, as that is not our use case.
Any guidance would be appreciated. Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Friday
Hi @SN developer3,
I don't think that'd be possible to enforce only one particular authenticator app...
Read this, perhaps it will move you foward: Multi-Factor Authentication (MFA) Enforcement FAQ
/* If my response wasn’t a total disaster ↙️ ⭐ drop a Kudos or Accept as Solution ✅ ↘️ Cheers! */
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Friday
Hi @GlideFather ,
I have already reviewed the link you mentioned.
Is there any possibility to customize this further ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Friday - last edited Friday
@SN developer3 I would say no. And I would discourage you to even try it... the authenticator generates 6 digits and these are copied, there's no chance how to verify it is is an Apple Password default app, Microsoft Authenticator, Authy, ... or any other.
EDIT: what I tried to explain is that the 6 digits it will be from any supported generator...
/* If my response wasn’t a total disaster ↙️ ⭐ drop a Kudos or Accept as Solution ✅ ↘️ Cheers! */
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Friday
During the initial registration, its the authenticator app that accepts the QR code as input and afterwards only TOTP is exchanged, hence the totp generating app details are never shared with servicenow, its not possible to identify and restrict the specific authenticator apps.
Moreover, since the TOTP generation logic is publicly available and implemented/supported by all major Authetnicator Apps, the same QR code will work with all the other TOTP Authenticator apps, hence getting the TOTP generating authenticator App details is not even required.
IN short, this is not possible since only 6 digit OTP is exchanged b/w app and instance through which generating authenticator app can't be identified and restricted.
