Multi-factor authentication with SMS OTP

Randheer Singh
ServiceNow Employee
ServiceNow Employee
‎02-16-2023 10:05 AM

In today's world, security is more important than ever. With the rise of cyber threats and online attacks, it is crucial to protect personal and business information from unauthorized access. One way to increase security is by implementing multi-factor authentication (MFA), which requires users to provide more than one form of authentication to access an online account.

 

One common form of MFA is SMS One-Time Password (OTP) authentication, which involves sending a unique password to a user's phone via SMS. The user must enter this password along with their regular username and password to gain access to the account.

 

SMS OTP authentication is an easy and cost-effective way to implement MFA, as it does not require the use of additional hardware or software. It is also user-friendly, as most people have access to a mobile phone and are comfortable with receiving and entering codes.

 

However, like any security measure, SMS OTP authentication has its drawbacks and limitations. For example, SMS messages can be intercepted or blocked, and phones can be lost or stolen. SMS OTP-based MFA is also vulnerable to SIM swapping and phishing attacks. In addition, some users may find the process of receiving and entering codes to be cumbersome or time-consuming.

 

Despite these limitations, SMS OTP authentication remains a popular and effective way to implement MFA. In this blog, we will explore how SMS OTP-based multi-factor authentication can be enabled on ServiceNow Platform authentication and provide best practices for implementing this authentication method in your organization. Please remember that SMS OTP-based MFA is always better than no MFA.

 

This feature is getting released as part of the Utah release. The feature will help meet the use case of enforcing MFA without requiring users to download an authenticator app.

 

Step by Step guide to enable SMS-OTP-based MFA

 

Pre-requisites

For delivering SMS, we need to integrate with a cPaaS solution such as Twilio, InfoBip, Vonage, etc. Alternatively, you can use your own SMS-sending APIs that can be invoked using the script/workflow from ServiceNow.

 

Out of the box, we provide configuration with Twilio. You can provide Twilio Account SID and Auth token to deliver OTP through SMS using Twilio. You can use a custom script for other providers to send SMS OTP.

 

Activate plugins

Install the plugin Multi-factor authentication with SMS (com.snc.authentication.sms_mfa). This is a free plugin. If not already installed, this will also install, Notify - Twilio Direct Driver (com.snc.notify.twilio_direct) and Adaptive Authentication (com.snc.adaptive_authentication), and MFA plugins.

 

RandheerSingh_0-1676559365752.png

 

Configure MFA Policy

If you do not already have an active MFA context policy, as a first step, we will configure an adaptive authentication (AA) policy to enforce MFA dynamically.

We can either use the existing step-up MFA policy or create a new policy and associate it with the MFA context.

 

Using an AA policy, an admin can enforce MFA dynamically based on network (IP address), role, and group membership. Please refer to this documentation to learn more about the MFA context policy.

 

From this blog perspective, we will create a policy for enforcing MFA for all users with “snc_internal” or “snc_external” roles. For snc_internal users, we will enforce MFA with the authenticator app, while for “snc_external” users, we will enforce MFA with SMS OTP.

 

Step 1. Create two role filter criteria

  1. Has snc_internal role

    RandheerSingh_0-1676559500307.png
  2. Has snc_external role

    RandheerSingh_1-1676559688933.png


Step 2. We will add these two filter criteria to an existing AA policy (Step-Up MFA Policy)

RandheerSingh_0-1676569599961.png

 

Step 3: Now, we will add a condition in the Step-Up MFA Policy to enforce MFA when the user has snc_external or snc_internal users.

RandheerSingh_1-1676569628779.png

 

Step 4: Finally, we will activate this policy and associate it with the MFA context record with the default policy field selected as “Step-Up MFA policy”

RandheerSingh_2-1676569662092.png

 

Step 5: We also need to enable the Adaptive authentication property.

  1. Open Adaptive Authentication > Properties
  2. Adaptive Authentication -> Authentication Policies -> Properties
  3. Enable the following properties.
    • Enable Authentication Policy

RandheerSingh_4-1676569708245.png

 

Upon completing this step, users doing local login with snc_internal and snc_external roles will start seeing the MFA setup screen.

 

RandheerSingh_5-1676569753950.png

 

However, for users with the snc_external role, we do not want to enforce MFA with the authenticator app. We want to show them SMS OTP-based MFA. Let’s configure the policy to show SMS OTP-based MFA.

 

Configure SMS OTP as MFA factor Policy

To control SMS OTP-based MFA, we need to configure the factor policy. SMS OTP-based MFA will be shown to the users for whom the policy associated with the SMS factor evaluates to true.

  1. Open Adaptive Authentication > Auth policy Context > MFA context
  2. Go to the MFA factor policies tab
  3. Click on the policy associated with the SMS MFA factor.

    RandheerSingh_6-1676569833832.png

  4. Now we will update the policy “Display SMS OTP as an MFA Factor Policy” to show MFA.

    1. In the policy, we will add the “Has snc_external role” role filter criteria as a policy input.

      RandheerSingh_7-1676569905314.png

       

    2. Now, we will also add a policy condition using this input.

      RandheerSingh_9-1676570014754.png

       

    3.  Also, we will activate this policy.

We have completed the policy configuration for showing SMS OTP-based MFA to users. We will now configure the SMS delivery mechanism.

Note: Email OTP-based MFA can be configured following similar steps.

 

Configure SMS OTP provider

In this example, we will use Twilio for SMS OTP delivery. If the Twilio-direct configuration still needs to be configured. We can follow these steps.

 

Role required: notify_admin

  1. Navigate to All > Notify > Administration > Twilio Direct Configuration.
  2. On the Twilio Account Properties page, enter your Account SID.
  3. Enter your Auth Token.
  4. Click Connect.

If the account is not associated with an instance and the connection is successful, a read-only list of E.164 and short code phone numbers associated with this Twilio account appears. This list displays the phone number, supported capabilities such as voice or SMS, the country for each Twilio number, and the Notify number group to which the number belongs.

 

Here are the detailed steps for configuring a Twilio account with ServiceNow

You can follow the steps provided here to use a provider other than Twilio or get the user’s phone number from a table other than the sys_user table.

 

Login Flow

  • Once the configuration is done, users with snc_external will start seeing SMS OTP-based MFA in their login flow.
  • Unless the admin has configured otherwise using provider configuration, SMS OTP will be delivered on the user's mobile phone number available at the sys_user record level.
  • By default, SMS OTP will be valid for 5 minutes. This duration can be controlled with the “glide.multifactor.onetime.code.validity” system property.
  • If the user is not receiving the OTP, resend OTP option will appear after 30 seconds. Resend option is available three times by default. It can be updated up to five attempts by creating a system property multifactor.auth.one.time.password.max.retry (Minimum 1, Max 5)
  • If the user’s phone number is unavailable on the sys_user record, the user will not see the SMS MFA OTP option.
  • If the Email factor policy is active and evaluating to true, users will see MFA with the email OTP option.
  • If the Email factor policy is inactive or evaluated as false, the user will be asked to complete the default MFA factor using the authenticator app.

RandheerSingh_10-1676570101910.png

 

Important Notes

  1.  If the user has already configured the authenticator app and FIDO2 authenticator(s), s/he will see the SMS OTP option and other pre-configured factors. Users can choose any MFA method and log in.
  2. Similarly, suppose the email factor policy associated with the MFA context record is active and evaluating true for the user. In that case, the Email OTP option will also appear in the available MFA methods list.
  3. Apart from an active email factor policy, users will also see the email OTP option if the “Enable email OTP for Multi-factor authentication” system property (glide.authenticate.multifactor.email.otp.enabled) is true.RandheerSingh_11-1676570146378.png
  4. If the user is unable to complete the MFA with SMS OTP, s/he can go back to the MFA factor option screen by clicking on the “Try other way to verify” link.RandheerSingh_12-1676570254222.png

 

Best Practices

  1. Avoid providing SMS OTP /Email OTP-based MFA options to highly privileged users like admin, security admin, user admin, and scoped app admins. Using the SMS factor policy, you can control the visibility of SMS and Email OTP-based MFA.

 

  1. If you want to show only the SMS OTP factor to a specific set of users
    1. Ensure the Email OTP factor policy is configured correctly so that it evaluates false for this set of users
    2. Ensure the users' existing authenticator app setup records are marked invalidated or removed.
      1.      Go to All > Multi-factor Authentication > User Multi-factor Setup
      2.      Set validate field as false for the users for whom we only want to show SMS OTP-based MFA

 

Further reading

  1. MFA context documentation
  2. SMS as MFA factor documentation
  3. Configure provider for delivering SMS OTP
  4. Configure Vonage provider for SMS OTP delivery
  5. FIDO2-based – Use Biometric or hardware security keys for MFA.

 

Feedback/Suggestions

Please provide your suggestion in the comments.

 

 

  • 10,113 Views
31 Comments