Multi-factor Authentication context

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Multi-factor Authentication context

    The Multi-factor Authentication (MFA) policy context in ServiceNow allows you to define when and how MFA is enforced during user login. This context ensures users provide a second form of authentication based on a policy, enhancing security without denying access outright. It overrides user or role-based MFA settings and applies only to user logins, excluding API authentication, basic auth, and OAuth resource owner password credential grants.

    Show full answer Show less

    Key Features

    • MFA Policy Context Record: Defines the MFA enforcement method using policies rather than static user or role configurations.
    • Default Policy Options:
      • Step-Up MFA Policy: MFA is required only when specified policy conditions evaluate to true.
      • Step-Down MFA Policy: MFA is enforced by default and not required only if policy conditions evaluate to true.
    • Policy Configuration: The context references either Step-Up or Step-Down MFA policies, which include policy inputs and conditions. These can be reviewed but must be modified in their respective policy records.
    • SSO Integration: MFA with Single Sign-On (SSO) is supported when the property glide.authenticate.mfa.with.multisso.enabled is set to true.

    Practical Use and Navigation

    • Access the MFA context via All > Multi-factor Authentication > MFA Context in ServiceNow.
    • Configure or edit policies from the referenced Step-Up or Step-Down MFA Policy fields using the provided reference icons to tailor MFA enforcement criteria.
    • MFA context records provide a centralized view of the MFA enforcement logic applied to user logins.

    Key Outcomes

    • Policy-driven MFA enforcement ensures flexible and precise control over when users must provide additional authentication factors.
    • Improved security posture by requiring MFA based on dynamic conditions rather than static user roles.
    • Seamless integration with SSO environments when properly enabled.

    The Multi-factor Authentication (MFA) policy context uses a policy to define how and when MFA is enforced during the login process.

    MFA context record

    The MFA policy context defines whether your users must provide a second form of authentication when logging in. This context does not deny access to your instance as the post-authentication and pre-authentication policies. The policy you select in this context takes precedence over user or role-based configurations for multi-factor authentication.

    To access the MFA context, navigate to All > Multi-factor Authentication > MFA Context.

    Use the fields in the Post-authentication policy context record to define how your instance uses your policy.

    Note:
    • If the default policy is Step-Up MFA Policy, users will be shown with Multi-factor Authentication if policy configured in Step-Up MFA Policy evaluates to true. Policy takes precedence over the user or role based configuration.
    • MFA with SSO login will only be available if glide.authenticate.mfa.with.multisso.enabled Property is set to true.
    • You can navigate to the Authentication Policy record to Add or Edit the 'Policy Input(s)' to the referenced Policy field (Step-Up MFA Policy or Step-Down MFA Policy).
    • MFA context policy applies only for user log ins. It does not apply for API authentication, basic auth, and OAuth resource owner password credential grant.
    Table 1. MFA context form
    Field Description
    Name Name of the policy context. This field is static and cannot be changed.
    Description Description of the context
    Default Policy Defines the default behavior of this context when evaluating the policy. Select from the following options.
    Step-Up MFA Policy
    Enforces MFA to users when the policy conditions defined in the Step-Up MFA Policy field evaluate to true.
    Step-Down MFA Policy
    Enforces MFA by default. MFA is not enforced only when the policy conditions defined in the Step-Down MFA Policy field evaluate to true.
    Step-Up MFA Policy The policy used for this context uses. This field appears only when the Default Policy field is set to Step-Up MFA Policy.
    Step-Down MFA Policy The policy used for this context uses. This field appears only when the Default Policy field is set to Step-Down MFA Policy.

    Policy inputs and conditions

    The Policy Input and Policy Conditions tabs display the inputs and conditions of the policy selected in the Step-Up MFA Policy or Step-Down MFA Policy field. These tabs serve as a reference, but cannot be used to change the policy inputs or conditions. To modify your policy settings, navigate to the policy using the reference icon (Reference icon) next to the Step-Up MFA Policy or Step-Down MFA Policy field.

    Note:
    Policy conditions can be created from here, but as a good practise it is recommended to add new policy conditions from policy page.
    This example shows an MFA context record configured using a step-up MFA policy. This default policy means that MFA is enforced only when the conditions defined in the policy evaluate to true. The context uses a policy called Step-Up MFA policy. That policy has a set of inputs and conditions that are displayed in the Policy Input and Policy Condition tabs.
    Figure 1. MFA policy context form
    MFA policy context record

    MFA factor policies

    MFA factor policies are a critical component of an organization's security posture, enabling you to enforce additional verification steps beyond passwords. These policies define the authentication methods that users must employ to access providing a flexible and customizable approach to authentication. For more information, see Multi-Factor Authentication factor policies.