MFA enforcement requirements – What and Why

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MFA enforcement requirements – What and Why

    Multi-factor Authentication (MFA) is a security process requiring two or more verification methods to access an account or system, enhancing protection beyond just passwords. ServiceNow mandates MFA to protect user accounts and data from unauthorized access and evolving cyberthreats. This additional verification layer significantly reduces the risk of security breaches.

    Show full answer Show less

    Why MFA Matters

    • Enhanced Security: Passwords alone are vulnerable to breaches, but MFA requires a second verification step, preventing unauthorized access even if passwords are compromised.
    • Reduced Risk: Enforcing MFA minimizes security risks for all users by automatically safeguarding accounts without requiring extra security decisions from users.

    ServiceNow MFA Requirements

    • For Existing Customers Upgrading to Yokohama or Later: If MFA is not already enabled, it automatically activates as the default policy. Internal users (without the sncexternal role) using local or LDAP authentication must set up MFA within 30 days of their first login. Users can log in during this period but will see an enrollment prompt. After 30 days, MFA setup is mandatory for login.
    • For New Customers on Yokohama or Later: MFA is enabled by default for all internal users (without the sncexternal role) using local or LDAP authentication. Users must set up and use MFA starting from their first login.

    FAQ related to MFA enforcement and why it’s important.

    1. What is the MFA?

      Multi-factor Authentication (MFA) is a security process that requires you to provide two or more forms of verification before they can access an account or system. To learn more, see Exploring Multi-factor authentication.

    2. Why is the MFA enforcement mandate?

      MFA is mandated to protect your account and data security. Cyberthreats are ever-changing, and passwords alone no longer provide sufficient protection against unauthorized access.

      • With MFA enabled, even if attackers have your password, the attackers still need a second form of verification. This additional layer significantly blocks most unauthorized attempts, keeping your information more secure.
      • Setting MFA as the default, minimize the risk of security breaches and safeguarding your account automatically. This means you get enhanced peace of mind without having to make any extra security decisions.
    3. Why is it important to enable MFA?

      Enabling MFA boosts your account security. Passwords alone aren't enough because passwords can be exposed in data breaches. With MFA, even if someone knows your password, they can't access your account without a second verification step.

    4. Why does ServiceNow require MFA?

      ServiceNow is mandating MFA to protect you from these threats. It's a simple yet effective way to reduce unauthorized access. By requiring MFA, there's a strong layer of protection to every account, reducing security risks for you and all users.

    5. What is the MFA requirement for existing customers?

      For existing customers upgrading their instance to the Yokohama or a later release:

      • If the instance doesn’t already have the Adaptive AuthenticationMFA (Multi-Factor Authentication) context turned on, automatically it’s enabled as a default MFA policy.
      • All the internal users (users who don’t have snc_external role) logging in with local or LDAP authentication must set up MFA within 30 days of their first successful login. During this time, you can log in normally but see a message at the time of login to enroll in MFA.
      • After 30 days, MFA will be required by default, and users won’t be able to log in without completing the MFA setup.
    6. What is the MFA requirement for new customers?

      For any instance using the Yokohama release or later, MFA is enabled by default for all internal users. It also applies to users who don’t have the snc_external role and are logging in with local or LDAP authentication. From the first login, the users are required to set up and use MFA.