Exploring Multi-factor Authentication

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Multi-factor Authentication

    Multi-factor Authentication (MFA) is a security method that enhances access protection by requiring users to provide multiple verification factors beyond just their username and password. This process significantly mitigates the risk of unauthorized access, defending against cyber threats like phishing and identity theft.

    Show full answer Show less

    Key Features

    • First Factor: Username and password for initial login.
    • Second Factor: An additional identity verification method, such as an authenticator app or security key.
    • Secured Factors:
      • FIDO: Utilizes hardware tokens or biometric traits for high-security verification.
      • TOTP: Generates a time-sensitive one-time password via mobile app.
    • Less-Secured Factors:
      • Email: Sends a verification code to the user's email, but is less secure due to email vulnerabilities.
      • SMS: Sends a verification code via text, also less secure because of potential mobile vulnerabilities.
    • Activation: MFA is enabled by default on ServiceNow using the glide.authenticate.multifactor property, which can only be disabled with a valid business justification.
    • Supported Verification Methods: Includes Authenticator App, FIDO2, Passkey, and OTP.

    Key Outcomes

    By implementing MFA, ServiceNow customers can significantly enhance the security of their accounts and services. Prioritizing secured factors like FIDO and TOTP over less-secured options like Email and SMS will provide a more robust defense against potential cyber threats. MFA can be utilized alongside local database authentication or SSO integrations, ensuring a comprehensive security solution.

    Multi-factor Authentication (MFA) is an authentication method that requires users to provide information other than their basic credentials.

    MFA is a security process that requires a user to provide two or more different verification factors to access a service or account. It adds an extra security layer of protection to your service beyond just a password, which makes it harder for unauthorized individuals to gain access.

    By requiring multiple factors, MFA significantly enhances security and helps protect against various cyberthreats, including phishing and identity theft. Here's some insight about how MFA works:

    • First factor: The user using their user name and password for login.
    • Second factor: The user is prompted for a second factor that’s with the user (An identity verification method such as an authenticator app or security key).

    Further, these factors can be typically categorized into secured and less-secured based on their level of protection against common security threats.

    • Secured Factors:
      • FIDO (Fast Identity Online): This factor uses hardware tokens or biometric authentication methods, providing a high level of security by confirming that the user has a physical device or unique biometric trait to verify their identity.
      • TOTP (Time-Based One-time Password): This factor generates a one-time password that is valid for a short period, usually 30 seconds. It’s typically delivered through a mobile app, adding an extra layer of security by requiring the user to have access to a specific device and app.
    • Less-Secured Factors:
      • EMAIL: This factor sends a verification code or link to the user's email address. While convenient, it’s less secure because email accounts can be compromised.
      • SMS: This factor sends a verification code via text message to the user's phone number. It’s also less secure due to the potential for SIM swapping and other mobile phone vulnerabilities.

    To enhance security, it’s recommended to prioritize the use of secured factors like FIDO and TOTP over less-secured factors like EMAIL and SMS.

    Note:
    • MFA is activated by default on ServiceNow.
    • MFA is enabled using glide.authenticate.multifactor property. If you want to disable this property, you must provide a business justification about why you want to disable MFA.

    MFA screen

    ServiceNow's MFA supports verification methods such as Authenticator App, Fast IDentity Online 2 (FIDO2), Passkey, and time-based One-time Password (OTP). Following are the details of available verification methods:
    • Authenticator App: Apps that generate unique, temporary verification codes. For example: Okta, Google Authenticator, Microsoft Authenticator, and so on
    • FIDO2: Physical devices that use public-key cryptography to validate user identities. For example: Hardware Keys (YubiKey), Biometric scanners (Apple's Touch ID).
    • Passkey: Log in with a passkey by unlocking the device with a biometric sensor, PIN, or pattern.
    • OTP: The secret key and the current time to generate a unique password that is only valid for a short period. For example: SMS (OTP) and Email (OTP).

    You can use MFA along with the following: