Use single authenticator app for MFA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Friday
Hi,
We have enabled all MFA authentication methods. However, we want to allow only a single authenticator app (e.g., Google Authenticator) and restrict all others.
The instance is in the cloud, with no additional restrictions such as IP or network controls.
Note: we do not want to use a trusted device policy, as that is not our use case.
Any guidance would be appreciated. Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Friday
Restricting MFA to Only One Authenticator App (e.g., Google Authenticator) in ServiceNow
======================================================================================
Overview
---------
ServiceNow supports multiple MFA methods (authenticator apps, email, SMS, WebAuthn, etc.).
If you want to allow **only one authenticator app** (e.g., Google Authenticator) and disable all others, you can achieve this using built-in MFA configuration and policies.
Step 1: Review Current MFA Methods
----------------------------------
1. Navigate to: Multi-Factor Authentication > Administration > MFA Methods
2. Disable or deactivate all unwanted MFA types except “Authenticator App”:
- Uncheck *Active* for:
- Email
- SMS
- Security question
- WebAuthn key
- Any custom push integration
3. Keep only “Authenticator App” active.
Step 2: Control Available Registration Methods
----------------------------------------------
1. Navigate to: Multi-Factor Authentication > Policies
2. Open your active MFA policy (e.g., Default policy).
3. Under **Available Methods**, remove all methods except “Authenticator App”.
4. Save and publish the policy.
Step 3: Enforce MFA for Specific Roles or Users
-----------------------------------------------
1. Navigate to: Multi-Factor Authentication > Enrollments
2. Define which users or groups require MFA.
3. Verify users are prompted only for the Authenticator App during enrollment.
Step 4: Disable Trusted Devices and Backup Methods
--------------------------------------------------
1. Navigate to: Multi-Factor Authentication > Properties
2. Set:
- mfa.trusted_device.enabled = false
- mfa.allow_backup_methods = false
Step 5: Limiting to Google Authenticator
----------------------------------------
ServiceNow cannot distinguish between different TOTP-based apps (Google, Microsoft, Authy, etc.) because they all use the same standard (RFC 6238).
However, you can guide users to use only Google Authenticator by:
- Adding a note on the MFA enrollment UI: “Use only Google Authenticator.”
- Disabling push-based or custom MFA integrations.
If you need strict enforcement of app usage, this must be handled via your **Identity Provider (IdP)** (e.g., Okta, Azure AD, Ping) with MDM controls.
Summary Table
--------------
| Control Area | Action | Purpose |
|---------------|--------|----------|
| MFA Methods | Deactivate all except Authenticator App | Restrict available MFA options |
| MFA Policy | Include only Authenticator App | Control enrollment methods |
| Properties | Disable trusted devices & backups | Prevent alternate paths |
| Enrollment UI | Add user guidance for Google Authenticator | Ensure consistency |
| IdP Integration | Enforce via enterprise SSO | Enforce app-specific usage |
Recommendation
---------------
The tightest possible control within ServiceNow is to:
- Keep only the “Authenticator App” method active.
- Disable all backup and trusted device options.
- Add clear user guidance for using Google Authenticator.
- Optionally, enforce this at the IdP level for stronger compliance.
