Using Multi-factor authentication (MFA)

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using Multi-factor Authentication (MFA)

    Multi-factor authentication (MFA) enhances security when accessing your ServiceNow instance. It requires users to verify their identity using an additional method beyond just their username and password, ensuring a more secure login process.

    Show full answer Show less

    Key Features

    • Authenticator Apps: ServiceNow supports Time-based One-time Passwords (TOTP) through various authenticator applications, including Google Authenticator, Microsoft Authenticator, and others. While not all authenticators are tested, many may still work.
    • Login Process: Upon entering your username and password, you'll be prompted for a second authentication. If you haven’t set up an authenticator, you’ll be guided to do so during your first login.
    • Biometric and Hardware Key Support: If permitted by your administrator, you can use biometric methods (like fingerprint or facial recognition) and hardware keys for authentication.
    • SMS and Email OTP: Administrators can configure your instance to require one-time passwords (OTP) sent via SMS or email. Users will receive a six-digit code to validate their identity, valid for five minutes.

    Key Outcomes

    By implementing MFA, ServiceNow customers can significantly improve the security of their login processes, protecting sensitive data from unauthorized access. Users can choose from various authentication methods, ensuring flexibility and convenience in maintaining security. This ultimately leads to a more secure operational environment within ServiceNow.

    Learn how to use multi-factor authentication tools to securely access your instance.

    Login with MFA

    ServiceNow requires authenticator applications that support Time-based One-time Passwords (TOTP). ServiceNow tests MFA with the following authenticators:

    • Google Authenticator
    • Microsoft Authenticator
    • LastPass Authenticator
    • Authy
    • FreeOTP
    • Duo
    • Okta Verify
    Note:
    • Other authenticators not listed might also be compatible, but are not tested by ServiceNow.
    • For information related to browser specific behavior change, see this KB article

    Validation with authenticator app


    Authenticator.

    Enter the code displayed on your authenticator app to login.

    If your administrator has enabled multi-factor authentication (MFA) on your instance, you are prompted for a second authentication after entering your user name and password. For details on the MFA login process, see Log in with multi-factor authentication

    If you haven't configured a second form of authentication, you will see a configuration page after logging in to guide you through the process of setting up an authentication app. For details on this setup, see Setup multi-factor authentication for the first time.

    Register an authentication device

    After you've configured an authentication app, you can register other methods for authentication.
    Biometric authenticators
    You can use biometric authenticators like fingerprint or facial recognition as your second MFA authentication. If your administrator allows this option, you can configure biometric authenticators using the steps in Register a biometric authenticator.
    Hardware key authenticators
    Hardware keys are physical security devices you can use for authentication. You can register a hardware device for use with your instance using the steps in Register a hardware security key.
    Biometrics icon

    Hardware key icon

    Validation with Biometric or Hardware Key


    MFA - Biometric or Hardware
    		 Use the Biometric or Security Key to login.

    Register a phone number for OTP

    SMS
    Admin configures ServiceNow instance to require users who attempt to login the instance using SMS based OTP.

    When users attempt to login to ServiceNow, SMS OTP is sent to the mobile number associated with the sys_user record. Users can enter the six-digit verification code that it sent to the mobile device and verify their identity.
    SMS.

    Validation with SMS


    MFA-SMS.
    		 Enter the 6-digit code sent to the mobile number to login. The code sent is valid for the next 5 minutes. You can use resend code to again send the code.

    Register an Email address for OTP

    Email address
    Admin configures ServiceNow instance to require users who attempt to login the instance using Email based OTP.

    When users attempt to login to ServiceNow, Email OTP is sent to the email address associated to the user. User's can enter the six-digit verification code that it sent to the mobile device and verify their identity.
    Email.

    Validation with Email


    MFA-Email.
    		 Enter the 6-digit code sent to the email address to login. The code sent is valid for the next 5 minutes. You can use resend code to again send the code.