Exploring Multi-factor authentication

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Multi-factor Authentication

    This guide provides instructions on activating and configuring Multi-factor Authentication (MFA) in ServiceNow. MFA enhances security by requiring additional verification steps beyond just username and password.

    Show full answer Show less

    Key Features

    • MFA Activation: Activate the Integration - Multifactor Authentication plugin. MFA is enabled by default.
    • Multi-factor Criteria: Use user-based, role-based, or adaptive authentication criteria to define who must use MFA.
      • User-based: Select individual users by updating the Enable Multifactor Authentication field on their user records.
      • Role-based: Require MFA for all users assigned to specific roles by maintaining the Role-based multi-factor authentication record.
      • Adaptive Authentication: Use authentication policies to evaluate when MFA is required based on user context.
    • MFA Methods: Users can authenticate using various methods, including authenticator apps, biometric scanners, hardware keys, SMS, and email OTPs.

    Key Outcomes

    By implementing MFA, you can significantly enhance the security of your ServiceNow instance, ensuring that only authorized users have access. Proper configuration of MFA criteria and methods helps tailor security measures to your organization's specific needs, enhancing overall protection against unauthorized access.

    Learn how to activate and configure multi-factor authentication.

    MFA activation

    Activate the Integration - Multifactor Authentication (com.snc.integration.multifactor.authentication) plugin to begin using MFA on an instance. MFA is activated by default on ServiceNow.

    Multi-factor criteria

    Use multi-factor criteria to determine which users and roles must use two-step multi-factor verification. You can use one of these criteria or a combination of them to suit your business needs.

    User-based multi-factor criteria
    Use user-based multi-factor criteria to select individual users who are required to log in using MFA. Administrators update the Enable Multifactor Authentication field on a user record to enable or disable MFA requirements for a user. For details on this process, see Configure user-based multi-factor criteria.
    Role-based multi-factor criteria
    Use role-based multi-factor criteria to require MFA login for all users assigned to a specific role. The Role-based multi-factor authentication record on the Multi-factor Criteria [multi_factor_criteria] table contains the list of roles that require an MFA login. For details on maintaining this list, see Configure role-based multi-factor criteria.
    Adaptive authentication policy-based multi-factor criteria
    Use adaptive authentication to determine when your instance requires MFA. Adaptive authentication uses authentication policies to evaluate criteria like a user's IP address or user groups. For details on the adaptive authentication feature, see Adaptive authentication.

    Multi-factor authentication methods

    Users can use the following options in addition to their user name and password to fulfill multi-factor authentication requirements.

    Authenticator applications

    An authenticator application is third-party software that generates temporary passcodes. Users can use these passcodes along with their password to log in into an instance that requires multi-factor authentication (MFA). For more detail on these applications, see Authenticator Applications.
    Authenticator

    Biometric scanners

    Biometric authenticators use fingerprint or facial recognition to identify users. Your users can use these authenticators on their devices as part of the multi-factor login process. For details on registering biometric authenticators, see Register a biometric authenticator.
    Biometrics icon

    Hardware Keys

    Hardware keys are physical hardware that you can use to authenticate. Hardware keys are inserted into a port on your device to provide authentication. For details on registering hardware keys, see Register a hardware security key.
    Hardware key icon

    SMS

    Admin can configure ServiceNow instance to require users who attempt to log in to the instance using SMS based OTP.

    When users attempt to log in to ServiceNow, SMS OTP is sent to the mobile number associated with the sys_user record. Users can enter the six-digit verification code that it sent to the mobile device and verify their identity.

    For more information, see Multi-factor authentication with SMS.
    SMS

    Email

    Admin can configure ServiceNow instance to require users who attempt to log in to the instance using Email based OTP.

    When users attempt to log in to ServiceNow, Email OTP is sent to the email address of the user. Users can enter the six-digit verification code that it sent to the email address and verify their identity.

    For more information, see Multi-factor authentication with Email.
    Email

    Multi-factor authentication properties

    Use multi-factor authentication properties to enable, disable, and configure MFA on your instance. For details on these properties, see Multi-factor authentication system properties.