Configuring MFA, supported methods, and workflow
Summarize
Summary of Configuring MFA, supported methods, and workflow
Multi-factor authentication (MFA), also known as two-step verification, enhances security by requiring users to provide more than one set of credentials to access a ServiceNow instance. It adds a second level of authentication beyond the basic username and password, helping protect your instance from unauthorized access.
Show less
Administrators can configure MFA for individual users or entire roles, and users may have the option to enable MFA themselves. The Integration - Multifactor Authentication plugin is installed by default but must be activated by an administrator to start using MFA.
Supported Authentication Methods
- Local Database Authentication (native ServiceNow authentication)
- LDAP integration
- Single Sign-On (SSO) via SAML or OIDC
MFA supports several second-factor methods, including:
- Passcodes generated by authentication apps
- Hardware keys (physical devices inserted into user devices)
- Biometric authenticators such as fingerprint or facial recognition
- One-time passwords (OTP) sent via SMS or Email
Configuration and Workflow
- Activation: The Multifactor Authentication plugin is present but must be enabled by an administrator through a system property. Note that after cloning an instance, MFA must be re-enabled on the clone.
- Administrator Setup: Administrators enable MFA and specify which users or roles require MFA logins.
- User Login Process: When MFA is enabled, users are prompted to complete the second authentication step using any supported method. Users can complete multiple second-factor setups via their profile if desired.
- Hardware and Biometric Authentication: By activating the Web Authentication plugin, users can authenticate with hardware keys or biometric readers registered on their devices.
- SMS and Email OTP: Administrators can configure the instance to send OTP codes via SMS to the mobile number or via Email to the associated user email. Users enter the six-digit code to verify their identity during login.
Practical Benefits
Implementing MFA strengthens your ServiceNow instance security by requiring multiple forms of verification, reducing risk from compromised credentials. The flexibility in supported methods allows administrators to tailor MFA to organizational needs and user preferences, improving security without sacrificing usability.
MFA, also known as two-step verification, is a security requirement that users enter more than one set of credentials to access an instance.
The basic level of authentication to an instance is local database authentication where a user enters their user name and password. MFA gives administrators and users the ability to require a second level of authentication.
The second level of authentication can be based on the following:
- A passcode from an authentication app
- A hardware key
- A biometric authenticator, such as a fingerprint reader or facial recognition.
- An SMS or Email
As an administrator, you can set-up MFA for individual users or all the users in a specific role. You can also enable your users to opt and use MFA.
Activation
The Integration - Multifactor Authentication (com.snc.integration.multifactor.authentication) plugin is installed by default on your instance but must be enabled by an administrator using a system property. For details, see Multi-factor authentication system properties.
Supported authentication methods
You can use MFA with the following authentication methods:
- Local Database Authentication (native ServiceNow authentication)
- LDAP integration
- SSO SAML
- SSO OIDC
Multi-factor authentication set up workflow
- Administrator enables multi-factor authentication
-
The Integration - Multifactor Authentication (com.snc.integration.multifactor.authentication) plugin is activated on your instance by default. To begin using MFA, administrators must enable MFA using a system property. Once enabled, administrators select users or roles that require MFA logins.
For more detail on administrator set up for MFA, see Multi-factor authentication (MFA).
- Users log in using an authentication app
-
The users are prompted to use MFA options for the log in. Users can choose either of the options to complete MFA and if any user has completed the setup using any one factor, they can still go to their profile page and complete the remaining factors setup if they want to.
Web Authentication
Activate Integration - Web Authentication (com.snc.integration.webauthn) to allow hardware key or biometric reader authentication on your instance.
 |
Hardware keys are physical hardware that you can use to authenticate. Hardware keys are inserted into a port on your device to provide authentication. For details on registering hardware keys, see Register a hardware security key. |
|
|
Biometric authenticators use fingerprint or facial recognition to identify users. Your users can use these authenticators on their devices as part of the multi-factor login process. For details on registering biometric authenticators, see Register a biometric authenticator. |
SMS or Email (One-time password)
To enable users to log in to a ServiceNow instance and smoother experience on the go, MFA is supported with SMS and Email.
 |
Admin can configure ServiceNow instance to require users who attempt to login the instance using SMS based OTP. When users attempt to login to ServiceNow, SMS OTP is sent to the mobile number associated with the sys_user record. User's can enter the six-digit verification code that it sent to the mobile device and verify their identity. For more information, see Multi-factor authentication with SMS. |
 |
Admin can configure ServiceNow instance to require users who attempt to login to the instance using Email based OTP. When users attempt to login to ServiceNow, Email OTP is sent to the email address associated to the user. User's can enter the six-digit verification code that it sent to the email address and verify their identity. For more information, see Multi-factor authentication with Email. |