Enforced multifactor authentication (MFA): What you need to know

Multifactor authentication (MFA): woman smiling at a phone in her hands in front of an open laptop

I'm excited to announce that with the upcoming Now Platform Yokohama release, ServiceNow will be enforcing multifactor authentication (MFA) as a default security measure for all internal users who log on without single sign-on (SSO). This is part of our ongoing commitment to enhance the security of customer accounts and protect their valuable data from unauthorised access.

MFA requires users to provide two or more forms of verification before they can access an account or system. ServiceNow offers a wide range of MFA options, including:

Passkeys
Authenticator apps such as Google Authenticator
Hardware security keys such as YubiKey
Biometric authenticators such as:
- Face ID
- Touch ID
- Windows Hello
Email and text/SMS one-time passwords

How does MFA help?

Implementing MFA adds an extra layer of verification to user accounts and helps ensure our customers' ServiceNow instances meet the highest security standards.

There's been a 71% year-over-year increase in attacks using stolen credentials, according to IBM's X-Force Threat Intelligence Index. Attackers know it's difficult to distinguish activity between a legitimate login and a compromised login.

Although the majority of our customers use SSO to log on to ServiceNow, most also retain a local login—for admins, for example. MFA significantly reduces the risk of unauthorised access—even if a password is compromised—by up to 99%, according to the U.S. Cybersecurity and Infrastructure Security Agency.

While MFA has been a part of ServiceNow for a while, requiring MFA for all local login users is a crucial step to help our customers protect themselves by default. This change aligns ServiceNow with industry standards and best practices, reflecting our commitment to safeguarding customer data.

MFA significantly reduces the risk of unauthorised access—even if a password is compromised—by up to 99%. -U.S. Cybersecurity and Infrastructure Security Agency

How does MFA affect ServiceNow customers?

For existing customers upgrading to the Now Platform Yokohama release, if your ServiceNow instance doesn't already have an active MFA policy, a default MFA policy will be automatically enabled.

That means that for the first 90 days following the upgrade to the Yokohama release, all internal users (users without snc_external role) logging in with local or LDAP (network-based—e.g., Active Directory credentials) authentication will need to set up MFA within 30 days of their first successful login.

During this period, users can log in normally but will see a message prompting them to enrol in MFA. After 30 days, MFA will be required by default and users will not be able to log in without completing the MFA setup.

Since the Now Platform Xanadu release, we've made it even easier to set up MFA by enabling passkeys to be registered and used directly, without requiring users to download an authenticator app.

For new customers, MFA will be active by default from day 1 for all internal users logging in with local or LDAP authentication. This helps ensure accounts are protected from the moment customers start using the ServiceNow platform.

How to get started with MFA

To comply with the new MFA enforcement mandate, users will need to set up MFA within the specified time frame. This involves enrolling in one or more verification methods, such as an authenticator app, biometric authentication and hardware security keys.

We recommend enrolling in multiple MFA factors to help prevent being locked out of your accounts. For example, you can set up both an authenticator app and a biometric authenticator for added security. Admins can also adjust the MFA enforcement timeline and provide a smaller or larger self-enrolment window by updating the relevant system properties.

By taking these steps, you'll be contributing to a more secure and resilient digital environment for everyone on the ServiceNow platform.

Can I disable MFA?

Although it's technically possible to configure exceptions to this MFA policy, we strongly advise against doing so and recommend consulting your security team first.

Allowing exceptions would potentially weaken the overall security framework, exposing your accounts to greater risks. Mandating compliance with the MFA requirements helps organisations take a proactive stance on safeguarding their data and maintaining the highest security standards.

How should I prepare for enforced MFA?

Don't wait until the Now Platform Yokohama release to start protecting your accounts. Begin enforcing MFA today ahead of this upgrade.

By setting up MFA requirements now, you can help ensure your users are secure and prepared for the upcoming changes. Review our documentation on how to configure MFA policies in your instance.

Find out more about how ServiceNow prioritises data security.