Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Use single authenticator app for MFA

SN developer3
Tera Expert

a month ago

Hi,

We have enabled all MFA authentication methods. However, we want to allow only a single authenticator app (e.g., Google Authenticator) and restrict all others.

The instance is in the cloud, with no additional restrictions such as IP or network controls.

Note: we do not want to use a trusted device policy, as that is not our use case.

Any guidance would be appreciated. Thanks.

0 Helpfuls
  • 425 Views
5 REPLIES 5

MaxMixali
Kilo Sage

a month ago

Restricting MFA to Only One Authenticator App (e.g., Google Authenticator) in ServiceNow
======================================================================================

Overview
---------
ServiceNow supports multiple MFA methods (authenticator apps, email, SMS, WebAuthn, etc.).
If you want to allow **only one authenticator app** (e.g., Google Authenticator) and disable all others, you can achieve this using built-in MFA configuration and policies.

Step 1: Review Current MFA Methods
----------------------------------
1. Navigate to: Multi-Factor Authentication > Administration > MFA Methods
2. Disable or deactivate all unwanted MFA types except “Authenticator App”:
- Uncheck *Active* for:
- Email
- SMS
- Security question
- WebAuthn key
- Any custom push integration
3. Keep only “Authenticator App” active.

Step 2: Control Available Registration Methods
----------------------------------------------
1. Navigate to: Multi-Factor Authentication > Policies
2. Open your active MFA policy (e.g., Default policy).
3. Under **Available Methods**, remove all methods except “Authenticator App”.
4. Save and publish the policy.

Step 3: Enforce MFA for Specific Roles or Users
-----------------------------------------------
1. Navigate to: Multi-Factor Authentication > Enrollments
2. Define which users or groups require MFA.
3. Verify users are prompted only for the Authenticator App during enrollment.

Step 4: Disable Trusted Devices and Backup Methods
--------------------------------------------------
1. Navigate to: Multi-Factor Authentication > Properties
2. Set:
- mfa.trusted_device.enabled = false
- mfa.allow_backup_methods = false

Step 5: Limiting to Google Authenticator
----------------------------------------
ServiceNow cannot distinguish between different TOTP-based apps (Google, Microsoft, Authy, etc.) because they all use the same standard (RFC 6238).
However, you can guide users to use only Google Authenticator by:
- Adding a note on the MFA enrollment UI: “Use only Google Authenticator.”
- Disabling push-based or custom MFA integrations.

If you need strict enforcement of app usage, this must be handled via your **Identity Provider (IdP)** (e.g., Okta, Azure AD, Ping) with MDM controls.

Summary Table
--------------
| Control Area | Action | Purpose |
|---------------|--------|----------|
| MFA Methods | Deactivate all except Authenticator App | Restrict available MFA options |
| MFA Policy | Include only Authenticator App | Control enrollment methods |
| Properties | Disable trusted devices & backups | Prevent alternate paths |
| Enrollment UI | Add user guidance for Google Authenticator | Ensure consistency |
| IdP Integration | Enforce via enterprise SSO | Enforce app-specific usage |

Recommendation
---------------
The tightest possible control within ServiceNow is to:
- Keep only the “Authenticator App” method active.
- Disable all backup and trusted device options.
- Add clear user guidance for using Google Authenticator.
- Optionally, enforce this at the IdP level for stronger compliance.

 

0 Helpfuls