MFA Enforcement in the Upcoming Yokohama ReleaseSummaryMFA, or Multi-Factor Authentication, is a security process that requires users to provide two or more forms of verification before they can access an account or system. Think of it as an extra layer of protection beyond just a password. For example, if you log in to your bank account online, MFA might ask you to enter your password (something you know) and then confirm a code sent to your phone (something you have). This way, even if someone else knows your password, they wouldn’t be able to access your account without also having your phone. Using MFA makes it much harder for unauthorized users to get into your account, helping protect your personal information and keeping your account more secure. We're enforcing the MFA mandate to make sure your accounts and data are as secure as possible. Cyber threats are constantly evolving, and passwords alone are no longer enough to protect against unauthorized access. With MFA, even if someone guesses or steals your password, they still need a second form of verification to log in, like a code from your phone or a fingerprint scan. This extra layer helps block most unauthorized attempts and keeps your information safer. While MFA has been part of ServiceNow for some time, requiring it for all local login users (excluding snc_external users) is a crucial step to help our customers protect themselves. This change aligns ServiceNow with industry standards and best practices, reflecting our commitment to safeguarding customer data.ReleaseYokohama or a later release.InstructionsWhat is the MFA requirement for existing customers? For existing customers upgrading their instance to the Yokohama or a later release: If the instance doesn’t already have the adaptive authentication – MFA context policy turned on, we’ll automatically enable a default MFA policy.This means that all internal users (users who do not have snc_external role) logging in with local or LDAP authentication will need to set up MFA within 30 days of their first successful login. During this time, users can log in normally but will see a message at the time of login to enroll in MFA.After 30 days, MFA will be required by default, and users won’t be able to log in without completing the MFA setup. Example scenario 1 for Acme Corp: Currently, the instance does not have an active MFA policy. Imagine Sarah uses local authentication to access an instance. Upon upgrading to the Yokohama release, she’ll see a message about enrolling for MFA when she logs in. She has 30 days to complete this setup. If she doesn’t, after 30 days, her account will require MFA to log in, and she won’t be able to access it until MFA is set up. Example scenario 2 for Acme Corp: In the same instance, Anita was already using MFA along with local authentication. She will continue to require MFA without the 30-day self-enrollment window. Example scenario 3 for Acme Corp: In the same instance, Olivia uses SSO for authentication. There will be no impact on her login experience, and she will not be enforced for MFA. Example scenario 4 for Globex Corp: The Globex ServiceNow instance already had an MFA policy requiring MFA for all local login attempts outside the company’s trusted network. Upon upgrading to Yokohama or a later release, MFA enforcement behavior for user logins will remain the same as before the upgrade. What is the MFA requirement for new customers? For any instance provisioned with the Yokohama or a later release, MFA will be active by default for all internal users (users who do not have snc_external role) logging in with local or LDAP authentication from day one. This means internal users who log in without SSO must set up and use MFA from their first login. MFA Enforcement Scope Applied on both new instances (zBoot) and instances upgraded to Yokohama or higher release versionApplied to all production and non-production instancesApplied to all internal users (users without snc_external role)Applied only for Non-SSO logins. (Local and LDAP authentication)There is no impact on integrations and API logins How: A default secure MFA policy will be enabled for all non-snc_external users performing local or LDAP authenticationAdmins can adjust the policy to exempt MFA for specific users, roles, or groups. For detailed steps, please refer to the FAQ article.For the first 90 days following the upgrade to Yokohama, all internal users (users without snc_external role) logging in with local or LDAP authentication will need to set up MFA within 30 days of their first successful login.Users can log in normally during this period but will see a message prompting them to enroll in MFA. After 30 days, MFA will be required by default, and users will only be able to log in after completing the MFA setup.After 90 Days, MFA will be enforced by default. There will be no self-enrollment period for first-time logins. The admin can extend this period to up to 270 days.Related LinksPlease refer to this FAQ Article for more details.