Configuring MFA, supported methods, and workflow
Summarize
Summary of Configuring MFA, Supported Methods, and Workflow
Multi-Factor Authentication (MFA) enhances security by requiring users to provide more than one form of credentials to access a ServiceNow instance. This includes a combination of a username and password along with a second authentication method, which can be a passcode, hardware key, biometric authenticator, SMS, or email verification.
Show less
Key Features
- Activation: The MFA plugin is pre-installed but must be enabled by an administrator. After cloning an instance, MFA needs to be re-enabled.
- Supported Authentication Methods: MFA can be used with Local Database Authentication, LDAP, SSO, SAML, and OIDC. Users must set up an authenticator app before utilizing hardware keys or biometric methods.
- Setup Workflow: Administrators must activate MFA and can set it for specific users or roles. Users will log in using an authenticator app, which they will set up during their first login.
- Hardware and Biometric Authentication: The Web Authentication plugin allows for hardware keys and biometric readers as authentication methods.
- SMS and Email OTP: Administrators can configure the instance to send one-time passwords via SMS or email to verify user identity during login.
Key Outcomes
Implementing MFA increases security by ensuring that only authorized users can access the ServiceNow instance. Administrators benefit from the flexibility to enforce MFA on a user or role basis, while users enjoy a secure and streamlined login process using various authentication methods. This enhances overall confidence in data protection and compliance with security policies.
MFA, also known as two-step verification, is a security requirement that users enter more than one set of credentials to access an instance.
- A passcode from an authentication app
- A hardware key
- A biometric authenticator, such as a fingerprint reader or facial recognition.
- An SMS or Email
As an administrator, you can require MFA for individual users or all users in a specific role. You can also enable your users to opt in and use MFA.
Activation
The Integration - Multifactor Authentication (com.snc.integration.multifactor.authentication) plugin is installed by default on your instance but must be enabled by an administrator using a system property. For details, see Multi-factor authentication system properties.
Supported authentication methods
You can use MFA with the following authentication methods:
- Local Database Authentication (native ServiceNow authentication)
- LDAP integration
- SSO SAML
- SSO OIDC
Multi-factor authentication set up workflow
- Administrator enables multi-factor authentication
The Integration - Multifactor Authentication (com.snc.integration.multifactor.authentication) plugin is activated on your instance by default. To begin using MFA, administrators must enable MFA using a system property. Once enabled, administrators select users or roles that require MFA logins.
For more detail on administrator set up for MFA, see Multi-factor authentication (MFA).
- Users log in using an authentication app
Your users are prompted to use an authenticator app the first time they log in. This step is necessary even if your users are going to use biometrics or a hardware key. Users logging in see a QR code that they can scan to quickly set up an authenticator app. This initial login process is detailed in Setup multi-factor authentication on your user profile.
Authentication apps are available as mobile applications. Some authentication apps are available as extensions for desktop browsers for users who do not have access to a mobile device.
- After initial log in, users may configure additional authenticators
After the initial log in, users can register hardware keys or biometric authenticators.
For details on these and other user-side configurations for MFA, see Using Multi-factor authentication (MFA).
Web Authentication
Activate Integration - Web Authentication (com.snc.integration.webauthn) to allow hardware key or biometric reader authentication on your instance.
 |
Hardware keys are physical hardware that you can use to authenticate. Hardware keys are inserted into a port on your device to provide authentication. For details on registering hardware keys, see Register a hardware security key. |
Biometric authenticators use fingerprint or facial recognition to identify users. Your users can use these authenticators on their devices as part of the multi-factor login process. For details on registering biometric authenticators, see Register a biometric authenticator. |
SMS or Email (One-time password)
To enable users to log in to a ServiceNow instance and smoother experience on the go, MFA is supported with SMS and Email.
 |
Admin can configure ServiceNow instance to require users who attempt to login the instance using SMS based OTP. When users attempt to login to ServiceNow, SMS OTP is sent to the mobile number associated with the sys_user record. User's can enter the six-digit verification code that it sent to the mobile device and verify their identity. For more information, see Multi-factor authentication with SMS. |
 |
Admin can configure ServiceNow instance to require users who attempt to login to the instance using Email based OTP. When users attempt to login to ServiceNow, Email OTP is sent to the email address associated to the user. User's can enter the six-digit verification code that it sent to the email address and verify their identity. For more information, see Multi-factor authentication with Email. |