New in the ServiceNow Tokyo release for identity and authentication is the Adaptive Authentication for Trusted Mobile Apps functionality.

Introduced originally in Quebec, Adaptive Authentication caters for a way of allowing or restricting access to the ServiceNow platform for users or integrations via API both before and after authenticating, based on roles, groups or the originating IP address. In practice, this means that restricting ServiceNow instance access via the traditional IP Address Access Controls that can be applied can in effect remain for internal workloads but your customer facing portal could now be accessed from anywhere by giving those controls more granularity, that is, by user roles or group memberships.

Adaptive Authentication for Trusted Mobile Apps will allow Mobile Device Management (MDM) enrolled mobile devices to use the Now Mobile app from an network that isn’t trusted.

Adaptive authentication can be configured to trust a particular Now Mobile app via a filter as an Adaptive Authentication Policy which when the app attempts to communicate with your ServiceNow instance, it confirms the linkage between the user account and the trusted Now Mobile app. All of the available Now Mobile login methods are supported (Username/Password, SAML, OIDC, and MFA) with this feature.

Importantly, to allay the fears of your IT security team, there are a whole suite of controls, events and metrics in support of this new functionality. The total allowed registered device count can be restricted, end users that change device can require re-registration of their new device, and standard security logging events are captured, such as signature failures, cookie validation failures and invalid tokens. Plus adaptive authentication metrics can be viewed directly within the platform in the Instance Security Center including Policy Results Rates, Denied IP Addresses, Authentication User Logins, and API User Logins - and of course all of these can be sent to their SIEM.