Exploring Multi-factor Authentication

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Multi-factor Authentication

    Multi-factor Authentication (MFA) enhances security by requiring users to provide two or more verification factors beyond just a username and password to access services or accounts. This additional layer significantly reduces risks from cyber threats like phishing and identity theft by ensuring that access requires multiple forms of user verification.

    Show full answer Show less

    Key Features

    • Verification Factors: MFA typically involves a first factor (username and password) and a second factor that the user possesses, such as an authenticator app or security key.
    • Secured Factors:
      • FIDO (Fast Identity Online): Uses hardware tokens or biometric authentication for high security.
      • TOTP (Time-Based One-time Password): Generates short-lived, one-time passwords via mobile apps.
    • Less-Secured Factors:
      • EMAIL: Verification codes sent via email, which is less secure due to potential email account compromises.
      • SMS: Codes sent via text message, vulnerable to SIM swapping and mobile threats.
    • ServiceNow MFA Activation: MFA is enabled by default in ServiceNow and controlled by the glide.authenticate.multifactor property. Disabling MFA requires a business justification.
    • Supported Verification Methods in ServiceNow:
      • Authenticator Apps (e.g., Google Authenticator, Microsoft Authenticator, Okta)
      • FIDO2 physical devices (e.g., YubiKey, biometric scanners like Touch ID)
      • Passkeys (device unlocking via biometrics, PIN, or pattern)
      • One-time passwords (OTP) via SMS or Email
    • Integration Compatibility: MFA can be used with ServiceNow native authentication, LDAP integration, and Single Sign-On (SSO) protocols like SAML and OIDC.

    Key Outcomes

    • Improved protection against unauthorized access and cyberattacks by enforcing multiple authentication factors.
    • Flexibility to choose from various verification methods that balance security and user convenience.
    • Built-in MFA support in ServiceNow enhances platform security with minimal configuration effort.
    • Supports integration with existing authentication systems and SSO solutions to streamline secure access management.

    Multi-factor Authentication (MFA) is an authentication method that requires users to provide information other than their basic credentials.

    MFA is a security process that requires a user to provide two or more different verification factors to access a service or account. It adds an extra security layer of protection to your service beyond just a password, which makes it harder for unauthorized individuals to gain access.

    By requiring multiple factors, MFA significantly enhances security and helps protect against various cyberthreats, including phishing and identity theft. Here's some insight about how MFA works:

    • First factor: The user using their user name and password for login.
    • Second factor: The user is prompted for a second factor that’s with the user (An identity verification method such as an authenticator app or security key).

    Further, these factors can be typically categorized into secured and less-secured based on their level of protection against common security threats.

    • Secured Factors:
      • FIDO (Fast Identity Online): This factor uses hardware tokens or biometric authentication methods, providing a high level of security by confirming that the user has a physical device or unique biometric trait to verify their identity.
      • TOTP (Time-Based One-time Password): This factor generates a one-time password that is valid for a short period, usually 30 seconds. It’s typically delivered through a mobile app, adding an extra layer of security by requiring the user to have access to a specific device and app.
    • Less-Secured Factors:
      • EMAIL: This factor sends a verification code or link to the user's email address. While convenient, it’s less secure because email accounts can be compromised.
      • SMS: This factor sends a verification code via text message to the user's phone number. It’s also less secure due to the potential for SIM swapping and other mobile phone vulnerabilities.

    To enhance security, it’s recommended to prioritize the use of secured factors like FIDO and TOTP over less-secured factors like EMAIL and SMS.

    Note:
    • MFA is activated by default on ServiceNow.
    • MFA is enabled using glide.authenticate.multifactor property. If you want to disable this property, you must provide a business justification about why you want to disable MFA.

    MFA screen

    ServiceNow's MFA supports verification methods such as Authenticator App, Fast IDentity Online 2 (FIDO2), Passkey, and time-based One-time Password (OTP). Following are the details of available verification methods:
    • Authenticator App: Apps that generate unique, temporary verification codes. For example: Okta, Google Authenticator, Microsoft Authenticator, and so on
    • FIDO2: Physical devices that use public-key cryptography to validate user identities. For example: Hardware Keys (YubiKey), Biometric scanners (Apple's Touch ID).
    • Passkey: Log in with a passkey by unlocking the device with a biometric sensor, PIN, or pattern.
    • OTP: The secret key and the current time to generate a unique password that is only valid for a short period. For example: SMS (OTP) and Email (OTP).

    You can use MFA along with the following: