Role based MFA only works for some users after upgrade to Yokohama

iglencross
Tera Contributor

After upgrading to Yokohama from WashingtonDC a few months ago we have noted that some people who previously used TOTP authenticators for MFA no longer have that option, but are forced to use EMAIL.

About 40% of our staff are effected, and they range in Roles from ServiceNow Admins to simple ITIL users

 

I have gone through our Multi-factor Criteria which is set for Roles based MFA, and cannot see why this would occur.

 

iglencross_0-1752112572838.png

iglencross_1-1752112655307.png

 

 

Note that admin roles (among others) require MFA

 

When I look at my profile I get Configure Multi-Factor Authentication as a related link

iglencross_2-1752112676788.png

 

 

But when other admin user looks at their’s in they get

iglencross_3-1752112676791.png

Note that Configure Multi-factor Authentication is not on the list.

BOTH THESE USERS HAVE SAME ROLES AND GROUP MEMBERSHIPS.

 

 

 

When second admin logs in – it forces MFA through email – with no option to setup authenticator

When first admin logs in – it uses Autheticator and was prompted to set it up upon first login

 

Similar issue exists for non admins:

Some ITIL users get MFA through authenticator, and get the option to Configure through their profile.  Others don’t.  It’s about a 40/60 split across all ITIL users, independent of groups and other roles.

 

Note that the users who can’t are not listed on the User Multifactor Authentications list.  Only people who use Authenticator app are on the list

 

4 REPLIES 4

SANDEEP DUTTA
Tera Patron
Tera Patron

@iglencross ,

This has to go for a Support case with ServiceNow. They can check at their end .

 

Thanks,
Sandeep Dutta

Please mark the answer correct & Helpful, if i could help you.

Thanks.  I have already logged one.  And am still waiting for a phone call.   

 

I was just hoping that someone out there had already had the same issue resolved by a simple tweek of a sys_properties record or something similar

DK3
Tera Contributor

@iglencross ,

Thanks for the heads-up.
We’re moving to Yokohama tonight and all ITIL users and no role users signs in through Azure AD SSO (navpage.do).
I as an Admin sometimes use login.do.

Did Support give you a fix for MFA issue you came across?

Do we need to flip any ServiceNow property or any settings, before the upgrade so our ITIL users don’t get stuck?

Any tip would help—thanks!

iglencross
Tera Contributor

As far as I can tell you should be fine. 

 

The transition to the "new MFA" was seamless during the upgrade, and all my other contacts who have done the same upgrade did not experience what we are.  The big difference is that we are not SSO, while everyone else who I have talked to is.

 

And Support haven't got me a fix yet.