MFA enforcement requirements – What and Why

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MFA Enforcement Requirements – What and Why

    Multi-factor Authentication (MFA) is a security measure requiring two or more verification forms for account access. MFA enforcement is crucial for enhancing account and data security, especially in a landscape where cyber threats are increasingly sophisticated. ServiceNow mandates MFA to protect users from unauthorized access, making it a vital aspect of security protocols.

    Show full answer Show less

    Key Features

    • Enhanced Security: MFA significantly reduces the risk of unauthorized access, even if passwords are compromised.
    • Automatic Default Policy: For existing customers upgrading to the Yokohama release or later, MFA is automatically enabled for internal users, requiring them to set it up within 30 days.
    • Immediate Requirement for New Customers: New customers using the Yokohama release or later must set up MFA from their first login, ensuring immediate compliance with security protocols.

    Key Outcomes

    By enforcing MFA, ServiceNow ensures that all internal users have a robust security framework in place, significantly minimizing security risks and providing peace of mind without necessitating additional security decisions from users. After the designated enrollment period, users will be unable to access their accounts without completing MFA setup, further enhancing account protection.

    FAQ related to MFA enforcement and why it’s important.

    1. What is the MFA?

      Multi-factor Authentication (MFA) is a security process that requires you to provide two or more forms of verification before they can access an account or system. To learn more, see Exploring Multi-factor Authentication.

    2. Why is the MFA enforcement mandate?

      MFA is mandated to protect your account and data security. Cyberthreats are ever-changing, and passwords alone no longer provide sufficient protection against unauthorized access.

      • With MFA enabled, even if attackers have your password, the attackers still need a second form of verification. This additional layer significantly blocks most unauthorized attempts, keeping your information more secure.
      • Setting MFA as the default, minimize the risk of security breaches and safeguarding your account automatically. This means you get enhanced peace of mind without having to make any extra security decisions.
    3. Why is it important to enable MFA?

      Enabling MFA boosts your account security. Passwords alone aren't enough because passwords can be exposed in data breaches. With MFA, even if someone knows your password, they can't access your account without a second verification step.

    4. Why does ServiceNow require MFA?

      ServiceNow is mandating MFA to protect you from these threats. It's a simple yet effective way to reduce unauthorized access. By requiring MFA, there's a strong layer of protection to every account, reducing security risks for you and all users.

    5. What is the MFA requirement for existing customers?

      For existing customers upgrading their instance to the Yokohama or a later release:

      • If the instance doesn’t already have the Adaptive AuthenticationMulti-factor Authentication context turned on, automatically it’s enabled as a default MFA policy.
      • All the internal users (users who don’t have snc_external role) logging in with local or LDAP authentication must set up MFA within 30 days of their first successful login. During this time, you can log in normally but see a message at the time of login to enroll in MFA.
      • After 30 days, MFA will be required by default, and users won’t be able to log in without completing the MFA setup.
    6. What is the MFA requirement for new customers?

      For any instance using the Yokohama release or later, MFA is enabled by default for all internal users. It also applies to users who don’t have the snc_external role and are logging in with local or LDAP authentication. From the first login, the users are required to set up and use MFA.