MFA enforcement requirements – What and Why

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MFA enforcement requirements – What and Why

    Multi-factor Authentication (MFA) is a security process requiring two or more verification methods before granting account or system access. ServiceNow mandates MFA to enhance account and data security by adding an additional verification layer beyond passwords, which alone are vulnerable to cyber threats.

    Show full answer Show less

    Why MFA Matters

    • Enhanced Security: MFA protects accounts even if passwords are compromised, preventing unauthorized access.
    • Reduced Risk: It minimizes the chance of security breaches by blocking most unauthorized login attempts.
    • Peace of Mind: Enabling MFA automatically safeguards accounts without requiring extra security decisions from users.

    ServiceNow’s MFA Mandate

    ServiceNow requires MFA to ensure strong protection across all user accounts, reducing security risks for customers and their users.

    MFA Requirements for Customers

    • Existing Customers (Yokohama release or later): If Adaptive Authentication – Multi-factor Authentication is not already enabled, it will be turned on by default. Internal users (without the sncexternal role) using local or LDAP authentication must enroll in MFA within 30 days of their first successful login. During this period, users can log in normally but will receive reminders to enroll. After 30 days, MFA setup is mandatory for login.
    • New Customers (Yokohama release or later): MFA is enabled by default from the first login for all internal users without the sncexternal role who authenticate via local or LDAP methods. These users must set up and use MFA immediately.

    FAQ related to MFA enforcement and why it’s important.

    1. What is the MFA?

      Multi-factor Authentication (MFA) is a security process that requires you to provide two or more forms of verification before they can access an account or system. To learn more, see Exploring Multi-factor Authentication.

    2. Why is the MFA enforcement mandate?

      MFA is mandated to protect your account and data security. Cyberthreats are ever-changing, and passwords alone no longer provide sufficient protection against unauthorized access.

      • With MFA enabled, even if attackers have your password, the attackers still need a second form of verification. This additional layer significantly blocks most unauthorized attempts, keeping your information more secure.
      • Setting MFA as the default, minimize the risk of security breaches and safeguarding your account automatically. This means you get enhanced peace of mind without having to make any extra security decisions.
    3. Why is it important to enable MFA?

      Enabling MFA boosts your account security. Passwords alone aren't enough because passwords can be exposed in data breaches. With MFA, even if someone knows your password, they can't access your account without a second verification step.

    4. Why does ServiceNow require MFA?

      ServiceNow is mandating MFA to protect you from these threats. It's a simple yet effective way to reduce unauthorized access. By requiring MFA, there's a strong layer of protection to every account, reducing security risks for you and all users.

    5. What is the MFA requirement for existing customers?

      For existing customers upgrading their instance to the Yokohama or a later release:

      • If the instance doesn’t already have the Adaptive AuthenticationMulti-factor Authentication context turned on, automatically it’s enabled as a default MFA policy.
      • All the internal users (users who don’t have snc_external role) logging in with local or LDAP authentication must set up MFA within 30 days of their first successful login. During this time, you can log in normally but see a message at the time of login to enroll in MFA.
      • After 30 days, MFA will be required by default, and users won’t be able to log in without completing the MFA setup.
    6. What is the MFA requirement for new customers?

      For any instance using the Yokohama release or later, MFA is enabled by default for all internal users. It also applies to users who don’t have the snc_external role and are logging in with local or LDAP authentication. From the first login, the users are required to set up and use MFA.