MFA enforcement scope

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MFA enforcement scope

    Starting with the Yokohama release, ServiceNow enforces a default secure multi-factor authentication (MFA) policy to enhance login security across customer instances. This enforcement applies broadly to user types, login methods, and environments, with some configurable exceptions. Understanding the MFA enforcement scope helps ensure compliance, security, and smooth user access.

    Show full answer Show less

    Key Features

    • Users requiring MFA: All users except those with the sncexternal role, covering local username/password and LDAP authentications.
    • SSO logins: MFA is not required for Single Sign-On (SAML, OIDC, Certificate Based Authentication) by default. Customers can enforce MFA at their Identity Provider (IdP) or enable ServiceNow platform MFA for SSO as needed.
    • External users: By default, external users (sncexternal role) are exempt from MFA unless admins modify the policy to require it. External users already using MFA retain it and can self-enroll.
    • Mobile app logins: MFA is enforced for username/password based logins on both web and mobile platforms.
    • Environment scope: MFA applies to all customer instances, including production, subproduction, test, and developer instances on Yokohama or later releases without prior active MFA policies.
    • API authentication: MFA is not required for API calls using basic authentication. Instead, customers are encouraged to use more secure methods such as OAuth or mTLS. MFA can be enforced for API authentication by enabling a specific system property.
    • Clone setup and update set retrieval: These processes continue to work with username/password authentication without requiring MFA.
    • RPA bots: Bots using interactive username/password logins must perform MFA. Admins can exempt RPA bot accounts by adding them to an MFA Exempted User Group.
    • OAuth integrations: The OAuth Resource Owner Password Credential (ROPC) flow does not require MFA; however, the Authorization Code Grant flow requires MFA during user login before OAuth consent.

    Key Outcomes

    • Improved security by enforcing MFA on critical login paths and user types.
    • Flexible policy management allowing admins to tailor MFA enforcement to organizational needs, including exceptions for external users and automation bots.
    • Seamless integration with existing authentication methods like SSO and APIs without disrupting workflows.
    • Consistent MFA coverage across all environments—production, development, and test—strengthening overall security posture.
    • Clear guidance on enabling MFA for various authentication flows and understanding when MFA is required or exempted.

    FAQ related to MFA enforcement scope and why it’s important.

    1. Which user, login, and environment types require MFA?

      From the Yokohama release onwards, with the new default secure MFA policy MFA enforced for the following scenarios:

      • All the users except the users having snc_external role.
      • All the users performing user name and password based local or Lightweight Directory Access Protocol (LDAP) authentication.
      • All customer instances, including production, subprod, and test instances, that didn’t already have an active MFA policy before the upgrade.

      The instance admin can modify the enforcement scope by changing the MFA context policy, policy criteria, or policy conditions.

    2. Is MFA required for Single-Sign-On (SSO) logins?

      No. With the default secure MFA policy, MFA isn’t required for SSO (SAML, OIDC, Certificate Based Authentication) login.

      Customers can collaborate with their Single Sign-On (SSO) provider (Identity Provider, or IdP) to enforce multi-factor Authentication (MFA) on the IdP side. If enforcing MFA on the IdP side isn’t feasible, customers also have the option to enable the ServiceNow platform's MFA for SSO logins by following the instructions provided in Multi-factor Authentication with Single Sign-On.

    3. Is MFA required for external users?

      No. With the default secure MFA policy, MFA isn’t required for users having the snc_external role.

      • Admins can modify this behavior and enforce MFA for external users by updating the MFA policy conditions.
      • External users who were already undergoing MFA before the upgrade to Yokohama or later release continues to have MFA.
      • External users can visit their profile and self-enroll for MFA.
    4. Is MFA required for Mobile App login?

      Yes. The MFA policy is applied to both web and mobile app log in with user name and password based non-SSO login.

    5. Is MFA required for non-production and test environments?

      Yes. MFA is enforced for all customer instances, including production, non-production, dev, and test environments, if there's no active MFA policy existed on the instance before upgrading to Yokohama or later versions.

    6. Is MFA required for developer instances?

      Yes. MFA is enforced for all developer instances that are on Yokohama or later release versions.

    7. Is MFA required for API authentication?

      No. From Yokohama or a later release, MFA is only required for the user name and password-based interactive user logins. This means API authentication with basic auth works without requiring MFA. It’s recommended to customers use alternative secure API authentication methods such as OAuth or mTLS. More details here.

      1. Clone
      2. Update set retrieval
      3. RPA
      Note:
      To enforce MFA for API authentication, set the glide.authenticate.multifactor.for_integrations system property to true. MFA is enforced only for users who have already enrolled in MFA. Users who have not enrolled are not affected.
    8. Is there any impact on the clone setup process due to MFA?

      No, the clone setup process continues to work with user name and password and doesn't require MFA.

    9. Is there any impact on the update set retrieval due to MFA?

      No, the update set retrieval continues to work with user name and password and doesn't require MFA.

    10. Is there been any impact on RPA bots accessing ServiceNow instances?

      Yes, if the RPA bot uses the interactive user name and password login to access the ServiceNow instance, it must perform MFA. Admins can add RPA bot accounts to the MFA Exempted User Group if they want to relax MFA for RPA bot accounts.

    11. Is MFA required for the OAuth-based integrations?

      The OAuth Resource owner password credential (ROPC) works with user name and password without requiring MFA. For Authorization code grant type MFA is required as part of the user login flow before giving the OAuth consent.