MFA enforcement timeline

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MFA Enforcement Timeline

    The MFA enforcement timeline outlines the requirements and settings for multi-factor authentication (MFA) for eligible users following the Yokohama release and later. It is crucial for enhancing security by ensuring all internal users complete MFA setup within specified timeframes.

    Show full answer Show less

    Key Features

    • Self-enrollment Period: Eligible users have a default 30-day self-enrollment period to complete MFA setup after their first successful login. This can be adjusted up to a maximum of 90 days.
    • MFA Enforcement: After 90 days post-upgrade, internal users must use MFA immediately upon their first login without a self-enrollment window.
    • Admin Control: Admins can adjust the self-enrollment period and enforcement relaxation period using specific system properties.
    • User Notifications: End users will receive a message upon login to inform them of the MFA requirement, which can be turned off by admins if desired.

    Key Outcomes

    By implementing MFA, organizations can significantly improve security for internal users. Admins have the flexibility to customize the enrollment period and manage user notifications, ensuring a smooth transition to MFA compliance. Users will be informed clearly about their obligations, enhancing overall security awareness.

    FAQ related to MFA enforcement timelines and why it’s important.

    1. When is MFA enforced?

      According to the MFA policy, eligible users who haven’t completed the MFA setup has a 30-day self-enrollment period. The behavior is controlled using the system property glide.authenticate.multifactor.self_enrolment_period. The property's default value is 30 days. It can be updated to a maximum of 90 days.

      All internal users (users who don’t have a snc_external role) logging in with local or LDAP authentication must set up MFA within 30 days of their first successful login. During this time, you can log in normally but see a message at the time of login to enroll in MFA.

      Enrollment message

      After 90 days of upgrading to Yokohama or a later release, if an internal user (user without the snc_external role) logs in with local or LDAP authentication for the first time, they’ll be required to use MFA immediately. You don't have the 30-day MFA self-enrollment window. This period is governed by a system property: glide.authenticate.multifactor.enforcement.max_relaxation_period. The maximum value for this property is 270 days.

    2. How can the MFA enforcement timeline adjusted?
      • By updating the value of the property glide.authenticate.multifactor.self_enrolment_period, admins can provide a smaller or larger self-enrollment window. Set the property value to 0. The users are required to complete the MFA setup after their first login attempt with local or LDAP login after upgrading to Yokohama or a later release. The maximum duration of the self-enrollment window can be 90 days. Property value set higher than 90 will be treated as 90.
      • By updating the value of the property glide.authenticate.multifactor.enforcement.max_relaxation_period admin can decide how many days post upgrade to the Yokohama or a later release you get the MFA self-enrollment window.
    3. How are end users informed about this upcoming change?

      End users performing local or LDAP authentication who will be enforced with MFA will see an information message after logging in. The same message is available when users visit their profile.

      Table 1. Enforcement Message
      On the User Profile On Employee Service Center
      Message on the User Profile Message on the Employee Center

      This message won’t appear for non-admin users performing SSO logins. The admin role will see a different information message after a successful login irrespective of the authentication method used for logging in.

      Message for Admin

      This message continues to be displayed until one of the admins acknowledges the update by setting the glide.authenticate.multifactor.enforcement.acknowledged property value to true.

      Glide Property to turn off the message
    4. How to turn off the message displayed to end users about completing the MFA setup when they log in?

      Admins can update the value of the glide.authenticate.multifactor.enforcement.show_user_info_message system property to false to turn off the MFA enrollment information message shown to end users after login.

    5. How to turn off the message displayed to administrators about the MFA enforcement?

      The information message regarding MFA enforcement shown to admin users after login, stops appearing when one of the admins acknowledges it by updating the value of the glide.authenticate.multifactor.enforcement.acknowledged system property to true.

    6. There's already an MFA policy defined using adaptive authentication based on the security needs of my organization in the instance. Is the policy impacted by the mandate?

      No, if the instance already has an active Adaptive authentication—MFA context policy, the new default secure MFA policy isn’t enforced. If the instance had MFA property enabled (glide.authenticate.multifactor) but the MFA policy wasn’t active, then the default secure MFA policy for enforcing MFA for all internal users (users who don’t have snc_external role) performing user name and password-based local or LDAP login is enabled.