MFA (Multi-Factor Authentication) context

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MFA (Multi-Factor Authentication) context

    The MFA (Multi-Factor Authentication) context in ServiceNow defines how and when MFA is enforced during the user login process. This context uses a policy to determine if users must provide a second form of authentication, enhancing security without denying access outright. It takes precedence over user or role-based MFA settings and applies exclusively to user logins—not API authentication, basic auth, or OAuth resource owner password credential grants.

    Show full answer Show less

    Key Features

    • Policy-Based Enforcement: You select a default policy that controls MFA behavior—either Step-Up MFA Policy or Step-Down MFA Policy.
    • Step-Up MFA Policy: MFA is enforced only when specified policy conditions evaluate to true.
    • Step-Down MFA Policy: MFA is enforced by default and bypassed only when conditions evaluate to true.
    • Policy Inputs and Conditions: These tabs display the inputs and conditions of the selected policy for reference; however, policy modifications must be done on the policy record itself.
    • MFA with SSO: Enabled only if the system property glide.authenticate.mfa.with.multisso.enabled is set to true.
    • Policy Precedence: The MFA context policy overrides user or role-based MFA configurations.

    Practical Use and Configuration

    To configure the MFA context, navigate to All > Multi-factor Authentication > MFA Context. Here, you define the default policy behavior and select the specific step-up or step-down MFA policy to apply. The context record itself includes fields such as:

    • Name: The static name of the MFA context (cannot be changed).
    • Description: A description of the context purpose.
    • Default Policy: Selects between step-up or step-down enforcement behavior.
    • Step-Up/Step-Down MFA Policy: The specific policy referenced depending on the default policy choice.

    Policy inputs and conditions can be reviewed on the context form but must be edited from the policy record itself. Creating new policy conditions is recommended from the policy page for best practice.

    Key Outcomes

    • Ensures flexible and precise control over MFA enforcement during logins based on policy conditions.
    • Improves security posture by requiring second-factor authentication appropriately.
    • MFA enforcement respects SSO settings when enabled via system property.
    • Streamlines MFA management by centralizing enforcement logic in a policy context that overrides other configurations.

    The MFA (Multi-Factor Authentication) policy context uses a policy to define how and when MFA is enforced during the login process.

    MFA context record

    The MFA (Multi-Factor Authentication) policy context defines whether your users must provide a second form of authentication when logging in. This context does not deny access to your instance as the post-authentication and pre-authentication policies. The policy you select in this context takes precedence over user or role-based configurations for multi-factor authentication.

    To access the MFA context, navigate to All > Multi-factor Authentication > MFA Context.

    Use the fields in the Post-authentication policy context record to define how your instance uses your policy.

    Note:
    • If the default policy is Step-Up MFA Policy, users will be shown with Multi-factor Authentication if policy configured in Step-Up MFA Policy evaluates to true. Policy takes precedence over the user or role based configuration.
    • MFA with SSO login will only be available if glide.authenticate.mfa.with.multisso.enabled Property is set to true.
    • You can navigate to the Authentication Policy record to Add or Edit the 'Policy Input(s)' to the referenced Policy field (Step-Up MFA Policy or Step-Down MFA Policy).
    • MFA context policy applies only for user logins. It does not apply for API authentication, basic auth, and OAuth resource owner password credential grant.
    Table 1. MFA context form
    Field Description
    Name Name of the policy context. This field is static and cannot be changed.
    Description Description of the context
    Default Policy Defines the default behavior of this context when evaluating the policy. Select from the following options.
    Step-Up MFA Policy
    Enforces MFA to users when the policy conditions defined in the Step-Up MFA Policy field evaluate to true.
    Step-Down MFA Policy
    Enforces MFA by default. MFA is not enforced only when the policy conditions defined in the Step-Down MFA Policy field evaluate to true.
    Step-Up MFA Policy The policy used for this context uses. This field appears only when the Default Policy field is set to Step-Up MFA Policy.
    Step-Down MFA Policy The policy used for this context uses. This field appears only when the Default Policy field is set to Step-Down MFA Policy.

    Policy inputs and conditions

    The Policy Input and Policy Conditions tabs display the inputs and conditions of the policy selected in the Step-Up MFA Policy or Step-Down MFA Policy field. These tabs serve as a reference, but cannot be used to change the policy inputs or conditions. To modify your policy settings, navigate to the policy using the reference icon (Reference icon) next to the Step-Up MFA Policy or Step-Down MFA Policy field.

    Note:
    Policy conditions can be created from here, but as a good practise it is recommended to add new policy conditions from policy page.
    This example shows an MFA context record configured using a step-up MFA policy. This default policy means that MFA is enforced only when the conditions defined in the policy evaluate to true. The context uses a policy called Step-Up MFA policy. That policy has a set of inputs and conditions that are displayed in the Policy Input and Policy Condition tabs.
    Figure 1. MFA policy context form
    MFA policy context record