Troubleshooting Multi-factor Authentication enforcement

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Troubleshooting Multi-factor Authentication enforcement

    ServiceNow enforces Multi-factor Authentication (MFA) by default for non-SSO logins starting from the Yokohama release to enhance security and reduce breach risks. MFA enforcement is managed through an MFA policy activated by default during or after the Yokohama upgrade. This guide helps ServiceNow customers diagnose and resolve common MFA issues encountered post-upgrade or during MFA use.

    Show full answer Show less

    Troubleshooting Tools and Logs

    To effectively debug MFA issues, you can use the following tools and logs:

    • Splunk: Analyze debug logs related to MFA activities.
    • System Logs: Access via All > System Log > System Logs to review instance-level events.
    • Node Logs: Access through All > System Logs > Utilities > Node Log File Browser for node-specific debugging.
    • HAR Logs: Analyze HTTP Archive logs for detailed MFA transaction insights.

    Enable the following debug properties to facilitate detailed troubleshooting:

    • glide.webauthn.debug.enabled
    • glide.log.defaultlogdebug
    • glide.authenticate.policy.debug
    • glide.authenticate.hybridusertracking.debug

    Common MFA Scenarios and Resolutions

    • Scenario 1: User unable to login with second factor
      Reset the user’s MFA and remove outdated records from usermultifactorauth, sysuserpubliccredential, and sysusermultifactorsetup tables to restore access.
    • Scenario 2: Admin unable to login with second factor
      Another administrator can reset the MFA for the locked admin user. If issues persist, contact ServiceNow Support.
    • Scenario 3: Errors during MFA setup or validation
      Address common errors such as "Your 6-digit verification code is incorrect" by checking the following:
      • TOTP Authenticator App: Ensure device and instance times are synchronized within ±30 seconds.
      • Email MFA: Verify user notification settings, outbound email configurations, and correct user information in the sysuser table.
      • SMS MFA: Confirm SMS provider integration (e.g., Twilio) is active and the user’s mobile number is correctly configured in the sysuser table.

    Practical Benefits

    Following these troubleshooting steps enables ServiceNow customers to quickly restore MFA functionality, maintain secure access controls, and minimize user login disruptions after MFA enforcement or system upgrades.

    Troubleshooting information due to the MFA enforcement.

    ServiceNow enforces MFA by default post-Yokohama upgrade and making it mandatory for non-SSO logins (users performing login with only username and password or LDAP based authentication) to ensure a better security posture and reduce the risk of breaches.

    MFA enforcement is carried though a MFA policy that is activated by default from Yokohama or upgrade to Yokohama. Following are some of the troubleshooting task that you can perform if there's any change to the MFA behavior:

    • Debug using the troubleshooting tools
    • Navigate to the Log location and Debug properties
    • Understand the MFA scenarios based on your users experience while using MFA
    • Understand the MFA issue due to upgrade from a previous release

    Debug MFA

    Use the either of the following tools or a combination to understand the debug information:

    • Splunk - to see the debug logs.
    • System logs or Node logs.
    • HAR logs to analyze the debug logs for the MFA.

    Log location and Debug properties

    Navigate to the following location to know more about logs:
    • For system logs, navigate to All > System Log > System Logs.
    • For node logs, navigate to All > System Logs > Utilities > Node Log File Browser.

    The system debug logs and instance node logs are required for the debug purpose. Following are the debug properties that are required to be enabled:

    • glide.webauthn.debug.enabled
    • glide.log.default_log_debug
    • glide.authenticate.policy.debug
    • glide.authenticate.hybrid_user_tracking.debug

    MFA issue based on scenarios

    Scenario 1: User is not able to login using any of their second factor
    Reset the MFA for the your users and delete the old user records from the following tables:
    • user_multifactor_auth
    • sys_user_public_credential
    • sys_user_multi_factor_setup
    Scenario 2: Admin is not able to login using any of their second factor
    Another user with admin access can reset the MFA for any blocked admin user. If still the issue exist, reach out to ServiceNow Support.
    Scenario3: Error observed during the MFA Setup or Validation
    Check the warning "Associated Error Codes/Warning: Your 6-digit verification code is incorrect. Try again with the correct code".
    Perform the following steps:
    • In case of TOTP Authenticator App, if the date and time of the Authenticator MFA device and instance are not in sync (±30 sec), then the TOTP code is not accepted. Verify the device and instance date and time.
    • In case of email, configure the user level notification, outbound email configuration, and user correctly in the sys_user table.
    • In case of SMS, configure the Twillio or other SMS service provider integration correctly and set to active. Verify if the user's mobile number is configured correctly in the sys_user table.