Built something you're proud of? Tell the story. A quick G2 review of App Engine or Build Agent helps other developers see what's possible on ServiceNow. Share your experience.

Unable to Access PDI Due to Lost Passkey and Missing MFA Email Verification

Rakesh_M
Kilo Sage

Monday

Hi Community,

I recently faced an issue where I enabled MFA on my PDI, but I lost access to the passkey, and the email account is not properly configured to receive verification codes.However, I also tried disabling MFA via API, but this approach did not work in my case, so I need to explore an alternative way to regain access.

Use Case:
A user is unable to log in to their Personal Developer Instance because their Multi-Factor Authentication is tied to a passkey that was created on an old device, which is no longer available.

Although there is an alternative option to receive a verification code via email, the user is not receiving the MFA email.

As a result, the user is completely locked out of the instance and is looking for a way to reset MFA or regain access without losing existing work.

Approach:

Since I was locked out of the admin account due to MFA, I used another user who still has admin privileges to regain access.

  1. First, I created a scheduled script (via API) that automatically generates a new password for that admin user and logs the temporary password in the system logs.

  2. Then, I used another script to fetch that password from the logs.

  3. With the retrieved password, I logged in using that admin user.

  4. After gaining access, I  removed the MFA configuration from the PDI.

In short, I used an alternate admin user, generated a temporary password programmatically, retrieved it from logs, and used it to log back in and fix the MFA issue.

Implementation:
A.Create Scheduled Job to Reset Password

You can find your instance credentials from the ServiceNow Developer Site under Manage My Instance.

As shown in the image below, the highlighted section contains:

  • Instance URL
  • Username (usually admin)
  • Current password

This is the same information you need to use in the script.

PDI credentials.png


Open any Python environment  and execute the scripts using your own ServiceNow credentials.
This script creates a scheduled job in ServiceNow that generates a new password for a user and logs it. Here, we are using david.loo as the target user as he has the admin role.

 

import requests
from requests.auth import HTTPBasicAuth
import json

# ===== CONFIG ===== //Add your credentials here
instance = "https://<your-instance>.service-now.com"
username = "<admin_username>"
password = "<admin_password>"


auth = HTTPBasicAuth(username, password)

# ===== API URL =====
url = f"{instance}/api/now/table/sysauto_script"

# ===== PAYLOAD =====
payload = {
    "name": "Reset Password Job",
    "active": "true",
    "run_type": "once",
    "script": """
var username = 'david.loo';

var password = SNC.PasswordPolicyEvaluator.generateUserPassword(username);
gs.info("My Temporary Password: " + password);

var result = SNC.PasswordPolicyEvaluator.setUserPassword(username, password);
""",
   
    "next_action": "2026-04-27 18:30:00",
}

headers = {
    "Content-Type": "application/json",
    "Accept": "application/json"
}

# ===== REQUEST =====
response = requests.post(url, auth=auth, headers=headers, data=json.dumps(payload))

# ===== OUTPUT =====
print("Status Code:", response.status_code)

 

Output:
Screenshot 2026-04-27 at 12.41.27 PM.png

B.Retrieve Password from Logs:

This script is used to fetch the temporary password that was generated by the scheduled job and stored in the system logs.

import requests
from requests.auth import HTTPBasicAuth

instance = "https://<your-instance>.service-now.com"
username = "<admin_username>"
password = "<admin_password>"

auth = HTTPBasicAuth(username, password)

url = f"{instance}/api/now/table/syslog"

params = {
    "sysparm_query": "messageLIKEMy Tem^sys_created_onONToday@javascript&colon;gs.beginningOfToday()@javascript&colon;gs.endOfToday()",
    "sysparm_fields": "message",
    "sysparm_limit": "10"
}

headers = {
    "Accept": "application/json"
}

response = requests.get(url, auth=auth, headers=headers, params=params)

data = response.json()

for record in data.get("result", []):
    print(record["message"])

Output:
Screenshot 2026-04-27 at 1.03.35 PM.png

 

Open your instance URL in a private/incognito window.
It will prompt you for login credentials.

  • Username: david.loo

  • Password: Use the temporary password retrieved from the script output

Then it will prompt you to change the password.Update it with a new password of your choice, and log in again using the updated credentials.

 

 

Once logged in, you can access PDI and remove the MFA configuration.

Drawback:
This approach only works if the last active session of the user was in the Global scope. If the user was in a different application scope when they were last logged out, the scheduled script may not execute as expected.



0 Helpfuls
  • 127 Views
0 REPLIES 0