Remove Multi-factor Authentication pairing
Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field
Hi there,
While having Multi-factor Authentication enabled on your instance, users probably use an authenticator app on their mobile like the "Google Authenticator". The user account and the mobile device of the user are paired.
So what if a user has a new mobile device? The old pairing doesn't work anymore, so the user will not be able to login… HELP!!!
A short article on experiences gained on the job.
Docs
The ServiceNow Product Documentation does mention the pairing briefly:
Q: What if I must change devices and re-pair or reenter the code into a different mobile device?
A: Go to your user profile in the ServiceNow instance under My Profile and click multi-factor authentication to get access to the code to reenter and pair your device."
That's nice… though the user can't log in anymore, so how should the user reach the My Profile page?
User Multifactor Authentications
The paring records between the user accounts and the mobile devices are stored in the "User Multifactor Authentications" table [user_multifactor_auth].
The simplest thing to do would be for an administrator to remove the record in the Multifactor Authentications table for the user concerned. Ones trying to login again, the user would be presented with the "Enable multi-factor authentication" page, where the user can create a new pairing.
UI Action
What we came up with, was to create a Related Link (UI Action) on the User record form lay-out. A Related Link with which the pairing can easily be removed. The ServiceNow Administrator doesn't have to know the User Multifactor Authentications table from the top of his mind, this saves time and easier maintainability.
UI Action
Name: Remove Multi-factor Authentication pairing
Table: User _[sys_user]_Order: 100Active: CheckedShow update: CheckedForm link: Checked
Comments: Related link which is showed when a user has an active Multi-factor Authentication pairing. The related link performs a delete on the record.
Condition:
gs.getUserID() == !current.getUniqueValue() && gs.getProperty('glide.authenticate.multifactor') && current.active && new QT_MultifactorAuthenticationUtils().get_pairing(current.getUniqueValue())
Script:
(function() {
// Script Include and function called upon
new QT_MultifactorAuthenticationUtils().remove_pairing(current.getUniqueValue());
})();
Script Include
Name: QT_MultifactorAuthenticationUtilsAccessible from: This application scope onlyActive: Checked
Description: Script Include which holds the functions used within the QT Core Configuration add-on for Multifactor Authentication.
Script:
// Class and function(s)
var QT_MultifactorAuthenticationUtils = Class.create();
QT_MultifactorAuthenticationUtils.prototype = {
initialize: function() {
},
get_pairing: function(sys_id) {
// Get the record
var grUserMultifactorAuth = new GlideRecord('user_multifactor_auth');
if(grUserMultifactorAuth.get('user', sys_id)) {
return true;
}
return false;
},
remove_pairing: function(sys_id) {
// Get the record
var grUserMultifactorAuth = new GlideRecord('user_multifactor_auth');
if(grUserMultifactorAuth.get('user', sys_id)) {
grUserMultifactorAuth.deleteRecord();
}
},
type: 'QT_MultifactorAuthenticationUtils'
};
Result
When an Administrator would open a User record for a User that has Multifactor Authentication enabled, a new UI Action will be visible under the Related Links:
Share
An Update Set with this Service Portal widget can be downloaded from Share:
- Remove Multi-factor Authentication pairing
---
And that's it actually. Hope you like it. If any questions or remarks, let me know!
Kind regards,
Mark Roethof
ServiceNow Technical Consultant @ Quint Technology
1x ServiceNow Developer MVP
1x ServiceNow Community MVP
---
https://www.servicenow.com/community/developer-articles/remove-multi-factor-authentication-pairing/ta-p/2314271