Multi-factor Authentication enforcement
Enforcement of MFA for non-SSO logins to ServiceNow from the Yokohama release.
MFA enhances security by requiring users to provide two or more evidence to prove their identity during login. MFA protects accounts from threats like phishing and account takeovers.
MFA being a critical security tool against various identity takeover-related attacks. ServiceNow enforces MFA by default post-Yokohama upgrade and making it mandatory for non-SSO log ins (users performing login with only username and password or LDAP based authentication) to ensure a better security posture and reduce the risk of breaches.
MFA enforcement is carried though a MFA policy that is activated by default from Yokohama or upgrade to Yokohama.
- The policy is enabled for all non-snc_external users performing local (username and password) or LDAP based authentication.
- The instance admin can modify the enforcement scope by changing the MFA context policy, policy criteria, or policy conditions.
Here's more details about MFA enforcement:
- Enforced to all production and non-production instances.
- Enforced to all the non-snc_external users and non-SSO login.
- Integration with Basic auth and OAuth resource owner password credential grant does not require MFA from Yokohama.
To know more about the changes due to enforcement, see Changes due to the Multi-factor Authentication enforcement.
To know more about MFA, see Exploring Multi-factor Authentication.