Multi-factor authentication for Business Portal

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Multi-factor authentication for Business Portal

    This feature enables multi-factor authentication (MFA) for users accessing the ServiceNow Business Portal, enhancing security by requiring users to verify their identity with more than one credential. MFA helps protect self-service web portals from potential vulnerabilities by adding an extra layer of verification beyond just a password.

    Show full answer Show less

    Key Features

    • Enable/Disable MFA: Administrators can enable or disable MFA globally through a system property, allowing flexible control over user authentication requirements.
    • Bypass Setup Limit: Users can be allowed to bypass setting up MFA a configurable number of times, enabling login access even if they do not have their secondary device temporarily. This bypass count resets if the feature is disabled and then re-enabled.
    • One-Time Code Validity: The validity period for the one-time code sent to users’ email addresses is configurable in minutes, helping balance security and user convenience.
    • Clock Skew Adjustment: The system can accommodate slight time differences between the server and user devices by allowing a configurable time window (up to 60 seconds) during which generated codes remain valid, reducing login issues caused by timing discrepancies.
    • Role-Based MFA Enforcement: Administrators can specify roles, such as sncustomerservice.customer, that require MFA, enabling targeted enforcement based on user groups or responsibilities.

    Practical Implications for ServiceNow Customers

    By implementing MFA for Business Portal users, organizations can significantly increase the security of self-service access, reducing the risk of unauthorized entry. The configurable properties provide flexibility to tailor MFA behavior to organizational policies and user convenience, such as allowing limited bypasses and adjusting code validity windows.

    Configuring role-based MFA ensures that critical user groups are required to use this enhanced security measure, while others may have different authentication requirements. This targeted approach helps optimize security without unnecessarily complicating access for all users.

    Overall, enabling and configuring MFA through these properties helps ServiceNow customers protect sensitive portal access, comply with security standards, and provide a smoother authentication experience.

    Enable multi-factor authentication for business portal users so that access to the self-service web portals is more secure from potential vulnerabilities.

    Multi-factor authentication, also known as two-step verification, is a security requirement that asserts a user enter more than one set of credentials. For more information, see Multi-factor authentication.

    Multi-factor authentication properties

    Use properties to enable role-based multi-factor authentication criteria and configure the behavior.
    Table 1. Properties for multi-factor authentication
    Property Description
    Enable Multi-factor authentication

    [glide.authenticate.multifactor]

    		 Select this check box to allow users and administrators to use this feature.
    • Type: enabled | disabled
    • Default value: enabled
    • Location: Multi-factor Authentication > Properties
    Number of times a user can bypass setting up multi-factor authentication

    [glide.authenticate.multifactor.setup.bypass.count]

    		 Enter a number that represents how many times a user can choose to skip the additional passcode requirement. This gives your users the ability to still log in the instance if they do not have their mobile device with them. If you disable this feature and then re-enable it, the counter starts over again.
    • Type: string
    • Default value: 3
    • Location: Multi-factor Authentication > Properties
    The time in minutes, the one time code sent to user's email address is valid for

    [glide.multifactor.onetime.code.validity]

    		 Enter a number in minutes that specifies how long the reset code is valid. See Log on with multi-factor authentication.
    • Type: string
    • Default value: 10
    • Location: Multi-factor Authentication > Properties
    Additional time in seconds for which the code will be valid to accommodate for the clock skew. Max value is 60 seconds.

    [glide.authenticate.multifactor.clock_skew]

    		 Enter a number in seconds with a maximum of 60.

    By default, the instance validates the code entered by the user against the single app-generated code generated at whatever the current time is. You can skew the time window with this property and allow one or more codes generated during a time window to be considered valid.

    The property's value is used in the following calculation: current time - x/2 and current time + x/2, where 'x' is the value of this property. If you use the value of 10, for example, the instance considers any codes generated by the app between the time range [the current time - 5 seconds] and [current time + 5 seconds] to be valid.

    Use this property to prevent log in issues where the user is unable to enter the correct code in the default time allotted.

    Configure roles for multi-factor authentication

    Add the external role sn_customerservice.customer to the multi-factor roles.

    Users with this role is required to use multi-factor authentication. For more information, see Configure user-based multi-factor criteria.