The Zurich release has arrived! Interested in new features and functionalities? Click here for more

How to show only Email MFA Option to Users In Yokohama

Chris Dea1
Tera Contributor

4 weeks ago

Hi All,

 

We're going to be upgrading to Yokohama next month and I am starting to prep for mandatory MFA with this release.  At my organization, we serve two distinct user bases, internal customers that sign in with SSO and outside customers who use local accounts we set up for them.  Based on what I've read mandatory MFA is applied to local accounts, but will not be applied to users logging in with SSO.  I am concerned with our outside customers getting prompted to setup MFA and the large support load this could generate... 

 

To minimize confusion after the release, I want to only offer the email OTP option for our outside customers.  These outside customers are non-role'd local accounts and basically use ServiceNow to report errors to us so I am not concerned about them only having email for MFA.  (The fewer the choices the better if you get my drift :).

 

Is there any way I can configure MFA in Yokohama to only show the email option for these non-role'd local users when they get the MFA setup screen when logging into the portal? 

 

(Note: my plan is to set the glide.authenticate.multifactor.self_enrolment_period system property to 0 to force the users to setup MFA on first logon after the upgrade.)  Attached below is a screenshot of what I want to customize -- I only want to show the highlighted email option on the MFA setup for these users.  I've looked through the documentation and I could not see how this is done.

 

ChrisDea1_0-1756227354367.png

 

Thanks in advance for any guidance and assistance.

 

-Chris

0 Helpfuls
  • 1,178 Views
6 REPLIES 6

kaushal_snow
Mega Sage

4 weeks ago

Hi @Chris Dea1 ,

 

** Step 1: Use an MFA Factor Policy **

 

Navigate to Multi-Factor Authentication > MFA Context.

 

In the Third tab (Factor Policies), create a policy that applies only to your local user group (e.g., users without snc_external role or with certain email domains).

 

Configure the policy rule to evaluate only for those users (e.g., using a condition like user.role != 'snc_external' or user.email END_WITH '@yourdomain.com'). If this policy is true for the user, they are directed straight to the Email OTP validation page, no other MFA options displayed.


** Step 2: Optionally Disable the Multi-Option Setup Screen **

 

Set the property glide.auth.mfa.ui.v2.enabled = false.

 

This hides the multi-factor selection interface, preventing users from seeing other options, even if available later via their profile.

 

If you found my response helpful, please mark it as ‘Accept as Solution’ and ‘Helpful’. This helps other community members find the right answer more easily and supports the community.

 

Thanks and Regards,
Kaushal Kumar Jha - ServiceNow Consultant - Lets connect on Linkedin: https://www.linkedin.com/in/kaushalkrjha/

Chris Dea1
Tera Contributor
In response to kaushal_snow

4 weeks ago - last edited 4 weeks ago

Thanks for the reply, Kaushal.  I did not see a way to configure a policy using conditions like you mentioned (i.e. email END_WITH '@yourdomain.com') on "MFA Factor Policies" tab after going to Multi-Factor Authentication > MFA Context.  I did find policies under Adaptive Authentication->All Policies but there is no option to configure a policy with conditions related to user email.    Screenshot of "All Policies":  

ChrisDea1_0-1756248056518.png

And here's a screenshot showing if I create a new "Test" policy from there: 

ChrisDea1_1-1756248111422.png

I am starting to wonder if ServiceNow does not want to allow hiding options like authenticator MFA, they only want to allow adding additional options like Email...

 

If I am not looking in the right places, please do share screenshots if you are able.

 

I also tried to set the property glide.auth.mfa.ui.v2.enabled = false but that made it so only the authenticator option (with QR code) is shown to user.  I want to only show Email option for a subset of users (condition like !email.endsWith('mydomain.org').

 

Thanks again for your help,

Chris

0 Helpfuls

Rafael Batistot
Kilo Patron

4 weeks ago - last edited 4 weeks ago

Hi @Chris Dea1 

You’re right in this point

 

Based on what I've read mandatory MFA is applied to local accounts, but will not be applied to users logging in with SSO

 

To locals users is possible to remove the option to login with MFA. If you want to know I show you

 

About your question…

 

  • Log in as an Administrator, navigate to the "Multi-Factor Authentication" section, and select "Properties."
  • In the MFA settings page, toggle the switch to enable Multi-Factor Authentication on your side. You can also change the properties below to customize MFA to meet your security requirements.
  • Looking for some “Enable web authentication (FIDO2) based MFA.”
  • if is true, change to false 


This tutorial help us with the MFA topic when we migrated to Yokohama version, might help you too 

 

https://www.reco.ai/hub/setting-up-mfa-in-servicenow

 

Chris Dea1
Tera Contributor
In response to Rafael Batistot

3 weeks ago

Thanks for the article, Rafael.  I have been working with ServiceNow Support but I still cannot get only Email MFA factor to show on the "MFA Setup" screen after configuring the Policy Inputs and Policy Conditions for "Display Email OTP as an MFA Factor Policy".  I configured the Policy Input for group named "External_Customers" but if I login as a local user belonging to that group I get all MFA options (authenticator, biometric, email).  Has anyone out there had this same requirement as me?  Basically I want only Email MFA Factor to show on the MFA setup screen for local users.

0 Helpfuls