Multi-factor authentication for Customer and Consumer Service Portals

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Multi-factor authentication for Customer and Consumer Service Portals

    Multi-factor authentication (MFA), or two-step verification, enhances the security of Customer and Consumer Service Portals by requiring users to provide more than one set of credentials during login. This feature protects self-service web portals from potential security vulnerabilities by adding an extra layer of user verification.

    Show full answer Show less

    Key Features

    • Enable MFA: Administrators can enable or disable MFA using a specific property, allowing control over user authentication requirements.
    • Bypass Setup Limit: Users can be allowed to bypass setting up MFA a limited number of times (default is 3), enabling temporary login without a mobile device. This counter resets if MFA is disabled and re-enabled.
    • One-Time Code Validity: The validity period of one-time codes sent via email can be configured in minutes (default is 10 minutes), ensuring timely and secure code usage.
    • Clock Skew Adjustment: Administrators can configure an additional time window (up to 60 seconds) to accommodate clock differences between the user’s device and the server, reducing login issues caused by timing discrepancies.
    • Role-Based MFA Enforcement: MFA requirement can be applied to users assigned the roles sncustomerservice.customer and sncustomerservice.consumer, ensuring that customers and consumers accessing the portal must complete MFA.

    Practical Use for ServiceNow Customers

    ServiceNow customers can enable and configure MFA on Customer and Consumer Service Portals to significantly enhance security by mitigating unauthorized access risks. By adjusting properties such as bypass counts, code validity, and clock skew, administrators can tailor the MFA experience to balance security with user convenience. Assigning MFA to specific roles ensures that only designated portal users are required to complete this verification step, supporting compliance and security policies.

    Multi-factor authentication, also known as two-step verification, is a security requirement that asserts a user enter more than one set of credentials.

    Enable multi-factor authentication for Customer and Consumer Service Portal users so that access to the self-service web portals is more secure from potential vulnerabilities. For more information, see Multifactor authentication (MFA).

    Multi-factor authentication properties

    Use properties to enable role-based multi-factor authentication criteria and configure the behavior.
    Table 1. Properties for multi-factor authentication
    Property Description
    Enable Multi-factor authentication

    [glide.authenticate.multifactor]

    		 Select this check box to enable users and administrators to use this feature.
    • Type: enabled | disabled
    • Default value: enabled
    • Location: Multi-factor Authentication > Properties
    Number of times a user can bypass setting up multi-factor authentication

    [glide.authenticate.multifactor.setup.bypass.count]

    		 Enter a number that represents how many times a user can skip the additional passcode requirement, allowing them to log in even without their mobile device. If you disable this feature and then re-enable it, the counter starts over again.
    • Type: string
    • Default value: 3
    • Location: Multi-factor Authentication > Properties
    The time in minutes, the one-time code sent to user's email address is valid for

    [glide.multifactor.onetime.code.validity]

    		 Enter a number in minutes that specifies how long the reset code is valid. See Log on with multi-factor authentication.
    • Type: string
    • Default value: 10
    • Location: Multi-factor Authentication > Properties
    Additional time in seconds for which the code will be valid to accommodate for the clock skew. Max value is 60 seconds.

    [glide.authenticate.multifactor.clock_skew]

    		 Enter a number in seconds with a maximum of 60.

    By default, the instance validates the code entered by you against the single app-generated code generated at whatever the current time is. You can skew the time window with this property and allow one or more codes generated during a time window to be considered valid.

    The property's value is used in the following calculation: current time - x/2 and current time + x/2, where 'x' is the value of this property. If you use the value of 10, for example, the instance considers any codes generated by the app between the time range [the current time - 5 seconds] and [current time + 5 seconds] to be valid.

    Use this property to help prevent log in issues where you’re unable to enter the correct code in the default time allotted.

    Configure roles for multi-factor authentication

    Add the following external roles to the multi-factor roles:
    • sn_customerservice.customer
    • sn_customerservice.consumer
    Users with these roles are required to use multi-factor authentication. For more information, see Configure user-based multi-factor criteria.