I am playing with enabling Email OTP as the only MFA method for 'new hires' who utilise a local user account until they become an employee and then use SSO from their corporate account.
While I have been able to setup the Email OTP MFA Context, the user experience is slightly different depending on the device they are trying to login from.
From a PC browser (Chrome), the user is redirected to https://<instance.name>.service-now.com/validate_multifactor_auth_code.do and is prompted to enter the 6-digit code that has been emailed to the email address in their User record. Once the code is entered, the user is successfully logged in.
Using the same User record, but using a browser (Chrome / Safari) on a mobile device (iPhone) the user is redirected to https://<instance.name>.service-now.com/$m.do#/login/mfa and is requested to enter a code from their authenticator app, or, request the code vail email.
If requested by email (as we are not using any authenticator apps), the code is delivered using the 'OneTimePasswordEmailNotification' Notification instead of the expected 'multifactor.otp.email.notification' Notification and the code does not work.
The below System Properties have been set as follows:
- glide.auth.mfa.ui.v2.enabled = false
- glide.webauthn.enabled = false
- glide.authenticate.multifactor.email.otp.enable = true
How do I enforce the same user experience irrespective of the device they are using to login from?
