IT Hub

Setting Up Multi-Factor Authentication (MFA) in ServiceNow

Reco Security Experts
May 27, 2024
May 27, 2024

Setting Up and Optimizing Multi-Factor Authentication (MFA) in ServiceNow: A Comprehensive Guide

ServiceNow Multi-Factor Authentication (MFA) stands out as an important defense mechanism against unauthorized access. However, its effectiveness is based on proper setup and configuration. This guide walks you through setting up MFA in ServiceNow, best practices for configuration, and troubleshooting common issues.

Setting Up Multi-Factor Authentication (MFA) in ServiceNow

The Integration - MFA (com.snc.integration.multifactor.authentication) plugin is installed by default, but it must be enabled by an administrator using a system property.

Step 1: Accessing MFA Settings:

Log in as an Administrator, navigate to the "Multi-Factor Authentication" section, and select "Properties."

Step 2: Enabling MFA:

In the MFA settings page, toggle the switch to enable Multi-Factor Authentication on your side. You can also change the properties below to customize MFA to meet your security requirements.

Property Description
Number of times a user can bypass Multi-Factor Authentication. Number of times that a user can choose to skip the setup of MFA. Users can still log in to the instance even if they don't have their mobile device with them. If you disable this feature and then re-enable it, the counter starts over again. The default is 3.
The time in minutes the one-time code sent to the user's email address is valid for. Number of minutes that the reset code is valid. The default is 10.
Additional time in seconds is needed for the code to be valid to accommodate the clock skew. The maximum value is 60 seconds. Number of additional seconds that the reset code is valid. The maximum is 60. The default is 10. Use this property to prevent login issues where the user is unable to enter the correct code in the default time allotted.
Enable the remember browser feature for multi-factor authentication. Configure your instance to prompt users for MFA when they log in from a new device or browser. The default is yes.
Validity of browser fingerprint in hours. After MFA remembers the browser, the user will not be challenged for MFA in the same browser for this duration. The default is 8 hours.
Maximum number of browsers a user can remember. The number of browsers MFA remembers for this user.
The default value of the remember browser check box in the validate multi-factor page. The default value of the remember-browser check box is on the validate multi-factor page.
Enable web authentication (FIDO2) based MFA. Option to enable passwordless authentication methods such as hardware key and biometric authentication.

Multi-Factor Criteria

Use multi-factor criteria to determine which users and roles must use two-step multi-factor verification. You can use one of these criteria or a combination of them to suit your business needs.

User-based Multi-Factor Criteria

Use user-based multi-factor criteria to select individual users who are required to log in using MFA. Administrators update the Enable MFA field on a user record to enable or disable MFA requirements for a user.

1. Navigate to the "User Administration" section and select "Users".

2. Configure the list to show the Enable MFA column and save it.

3. Change the values of the Enable MFA column for the selected users to true. (When the user logs in with their username and password, they are prompted to set up MFA).

4. Save the user and enable MFA.

Role-based Multi-Factor Criteria

Use role-based multi-factor criteria to require MFA login for all users assigned to a specific role. The Role-based multi-factor authentication record on the Multi-factor Criteria [multi_factor_criteria] table contains the list of roles that require an MFA login.

1. Navigate to the "Multi-Factor Authentication" section and select "Multi-factor Criteria"

2. In the Multi-Factor Criteria List, open the "Role-based multi-factor authentication" record.

3. Use the "Multi-factor Roles" list to add or remove roles. To add a row, you have to double-click "Insert a new row," enter or select a role name, and click on the Save Icon to save the entry.

To remove a role, click on the delete icon to remove a role from the list.

4. Click Update.

Multi-Factor Authentication Metrics (only for users with role)

Step 1: Accessing Instance Security Center Portal:

Log in as security_dashboard_user or admin, navigate to the " System Security" section and select "Instance Security Center".

Step 2: Access MFA Metrics:

Once you are on the ISC Portal, navigate to the "Metrics" section, and select "MFA Metrics."

Step 3: Monitoring MFA:

Upon reaching the MFA Metrics page, you'll find the following key indicators for monitoring.

Title Report Type Description
Users Enrolled for MFA Single Score Displays the total number of users on the instance enrolled in MFA.
Users using MFA Bypass Single Score Displays the total number of users using MFA bypass.
High Privilege MFA Users Bar Displays the high-privilege users who have active MFA.
MFA User Trend Trend Displays the trend of users who have activated MFA.

Best Practices for ServiceNow MFA Configuration

1. Enforce MFA for All Users

Make MFA mandatory for all users accessing ServiceNow to ensure uniform protection across the organization.

2. Activate MFA for Administrators

ServiceNow recommends that customers enable MFA by default for all Admin users.

3. Use Multiple Authentication Methods

Offer a variety of MFA methods to meet different user preferences and needs. Options may include SMS authentication, authenticator apps, hardware tokens, or biometric authentication.

4. Educate Users About MFA

Provide clear instructions to users on how to set up and use MFA. Educate them about the importance of MFA and how it adds an extra layer of security to their accounts.

5. Monitor and Analyze Authentication

Regularly monitor authentication activities to track the adoption rate of MFA among users on the instance. This allows for informed decision-making and ensures ongoing security optimization.

Troubleshooting Common Issues

User Unable to Receive Verification Code

  • Solution: Verify that the user's contact information is accurate and check for any network issues affecting message delivery.

Note that ServiceNow tests MFA with the following applications: Google Authenticator, Microsoft Authenticator, LastPass Authenticator, Authy, FreeOTP, Duo, and Okta Verify. Other authenticators not listed might also be compatible but have not been tested by ServiceNow.

Clone the Instance and MFA Doesn’t Work

  • Solution: After cloning an instance, you must re-enable MFA on the cloned instance.

Authentication Failure Despite Correct Credentials

  • Solution: Ensure that the user is entering the verification code correctly, check for any time synchronization issues between the device and ServiceNow, and verify that the user's account is active and not locked.

Hardware Token Malfunction

  • Solution: Provide the user with a replacement token and ensure that it is properly synchronized with ServiceNow.


Setting up and optimizing Multi-Factor Authentication (MFA) in ServiceNow is crucial for enhancing security and protecting against unauthorized access. This guide provides detailed steps on how to enable and configure MFA, best practices to ensure effective implementation, and solutions to common issues. By following these guidelines, organizations can significantly strengthen their security posture and ensure that their ServiceNow environment remains secure and resilient.

Explore More
See more articles from our Hub