MFA (Multi-Factor Authentication) context

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MFA (Multi-Factor Authentication) Context

    The MFA (Multi-Factor Authentication) context is a critical component that defines how and when MFA is enforced during the login process for users accessing your ServiceNow instance. It allows administrators to set policies that dictate the requirement for a second form of authentication, ensuring enhanced security without denying access outright.

    Show full answer Show less

    Key Features

    • MFA Context Record: Determines the enforcement of MFA based on selected policies that take precedence over user or role-based configurations.
    • Policy Selection: Users can configure either a Step-Up MFA Policy, which prompts MFA when certain conditions are met, or a Step-Down MFA Policy, which defaults to MFA unless specified otherwise.
    • Access Navigation: Access the MFA context via All > Multi-factor Authentication > MFA Context, and utilize fields in the Post-authentication policy context record to define policy usage.
    • Policy Inputs and Conditions: Review existing policy inputs and conditions, but modifications should be made directly in the respective policy pages for best practice.
    • SSO Login Compatibility: MFA with SSO login is enabled only if the corresponding property is activated.

    Key Outcomes

    By configuring the MFA context effectively, ServiceNow customers can enhance their security protocols. The context allows for granular control over authentication requirements, ensuring that MFA is enforced appropriately based on specific conditions, thereby helping to mitigate security risks while maintaining user access to the instance.

    The MFA (Multi-Factor Authentication) policy context uses a policy to define how and when MFA is enforced during the login process.

    MFA context record

    The MFA (Multi-Factor Authentication) policy context defines whether your users must provide a second form of authentication when logging in. This context does not deny access to your instance as the post-authentication and pre-authentication policies. The policy you select in this context takes precedence over user or role-based configurations for multi-factor authentication.

    To access the MFA context, navigate to All > Multi-factor Authentication > MFA Context.

    Use the fields in the Post-authentication policy context record to define how your instance uses your policy.

    Note:
    • If the default policy is Step-Up MFA Policy, users will be shown with Multi-factor Authentication if policy configured in Step-Up MFA Policy evaluates to true. Policy takes precedence over the user or role based configuration.
    • MFA with SSO login will only be available if glide.authenticate.mfa.with.multisso.enabled Property is set to true.
    • You can navigate to the Authentication Policy record to Add or Edit the 'Policy Input(s)' to the referenced Policy field (Step-Up MFA Policy or Step-Down MFA Policy).
    Table 1. MFA context form
    Field Description
    Name Name of the policy context. This field is static and cannot be changed.
    Description Description of the context
    Default Policy Defines the default behavior of this context when evaluating the policy. Select from the following options.
    Step-Up MFA Policy
    Enforces MFA to users when the policy conditions defined in the Step-Up MFA Policy field evaluate to true.
    Step-Down MFA Policy
    Enforces MFA by default. MFA is not enforced only when the policy conditions defined in the Step-Down MFA Policy field evaluate to true.
    Step-Up MFA Policy The policy used for this context uses. This field appears only when the Default Policy field is set to Step-Up MFA Policy.
    Step-Down MFA Policy The policy used for this context uses. This field appears only when the Default Policy field is set to Step-Down MFA Policy.

    Policy inputs and conditions

    The Policy Input and Policy Conditions tabs display the inputs and conditions of the policy selected in the Step-Up MFA Policy or Step-Down MFA Policy field. These tabs serve as a reference, but cannot be used to change the policy inputs or conditions. To modify your policy settings, navigate to the policy using the reference icon (Reference icon) next to the Step-Up MFA Policy or Step-Down MFA Policy field.

    Note:
    Policy conditions can be created from here, but as a good practise it is recommended to add new policy conditions from policy page.
    This example shows an MFA context record configured using a step-up MFA policy. This default policy means that MFA is enforced only when the conditions defined in the policy evaluate to true. The context uses a policy called Step-Up MFA policy. That policy has a set of inputs and conditions that are displayed in the Policy Input and Policy Condition tabs.
    Figure 1. MFA policy context form
    MFA policy context record