Password Reset verifications

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Password Reset verifications Extend ServiceNow AI Platform capabilities

    The Password Reset application in ServiceNow provides various verification methods to confirm a user's identity when requesting a password reset. Each verification method enhances security and user experience by enabling self-service options through different channels such as email, SMS, and security questions.

    Show full answer Show less

    Key Features

    • QA Verification: Users answer selected security questions during enrollment, which are presented during the reset process to verify their identity.
    • Email Verification: A verification code is sent to the user's registered email address, expiring within 10 minutes, with a maximum of 10 codes sent per day.
    • SMS Verification: Similar to email verification, a code is sent to an authorized SMS-capable device, expiring in 5 minutes, with the same daily limit.
    • Authenticator Verification: Users enter a code from an authenticator app for identity verification during password resets.
    • Personal Data Verifications: Users confirm their identity using personal information stored in their profiles, including confirming email addresses or entering their usernames.
    • Soft PIN Verification: Users can set up a six-digit Soft PIN for password resets, which is supported by the ServiceNow Virtual Agent.

    Key Outcomes

    By utilizing these verifications, ServiceNow customers can improve the security of password resets, reduce dependency on IT support, and enhance user satisfaction through efficient self-service options. Each verification method can be tailored based on user preferences and organizational policies, ensuring a flexible and secure password management process.

    Each verification specifies the method and process for verifying the identity of the user that is requesting a password reset.

    Verifications included with Password Reset

    The Password Reset application includes the following verifications in the base system. You can create a verification based on either a base-system verification or a verification type (a template).

    Note:
    The Password Reset Windows Application doesn’t support custom verifications.
    Table 1. Password Reset verifications
    QA verification Implements a self-service Password Reset model with questions that are included with the base system or custom questions that the admin defines. While enrolling for the process, the user decides which questions to provide answers for. Questions are presented in the language that the user requested during login.
    When a user requests a password reset, the system poses a specified number of the questions that the user selected during enrollment. The user must answer all questions correctly to verify their identity.
    Figure 1. QA verification on the Verify page
    QA verification on the Verify page.

    For information on the user enrollment experience, see Enroll for the Password Reset program using questions and answers.

    This verification is based on the Security Questions verification type.
    Email verification This verification relies on auto-generated code numbers. You typically implement email verification as a self-service Password Reset model.

    When a user requests a password reset, the system sends a verification code to an email address that the user authorized during enrollment. To verify identity, the user then submits the code on the Password Reset Verify page.

    For information on the user enrollment experience, see Enroll for the Password Reset program using emailed codes.

    The Password Reset Windows Application supports email verification.

    This verification is based on the Email Code verification type.

    By default, a six-digit email verification code is sent to the user through email. The code expires in 10 minutes. Users can attempt to send another code after two minutes. A maximum of 10 email verification codes can be sent to a user in one day.
    SMS verification Implements a self-service or service desk-assisted Password Reset model that relies on auto-generated code numbers.

    When a user requests a password reset, the system sends a code to an SMS-capable device that the user has authorized. To verify identity, the user then submits the code on the Password Reset Verify page.

    You can use the ServiceNow Notify feature to send the codes.

    For information on the user enrollment experience, see Enroll for the Password Reset program using SMS codes.

    This verification is based on the SMS Code verification type.

    When users enroll for email or SMS verification on the Password Reset Enrollment page, they get a code to verify their email address or device. After the users enter the code and select Verify, an associated record is automatically created in the Password Reset Enrollment for Verifications [pwd_enrollment] table even before they select Submit.

    By default, a six-digit verification code is sent to the user's mobile device. The code expires in five minutes. Users can attempt to send another SMS verification code to the device after two minutes. A maximum of 10 codes can be sent to a particular device in one day.

    Note:
    While the record is created automatically in the Password Reset Enrollment for Verifications [pwd_enrollment] table for the email or SMS verification, the associated enrollment check script doesn’t get processed unless users select Submit.
    Authenticator verification Password Reset model that relies on auto-generated code numbers. Users typically implement authenticator verification as a self-service Password Reset model.

    When a user requests a password reset, the user reads a code from the authenticator app on a device that the user has paired. To verify identity, the user then submits the code on the Password Reset Verify page.

    For information on the user enrollment experience, see Enroll for the Password Reset program using an authenticator.

    The Password Reset Windows Application supports Google Authenticator verification.

    This verification is based on the authenticator verification type.
    Personal Data — Confirm Email Address Implements a self-service Password Reset model that relies on user information that is available in the user profile on the instance.

    This verification is based on the Personal Data Confirmation verification type.

    Note:
    Users can't configure this verification for the processes with the active public access.
    Personal Data — Enter User Name Implements a self-service Password Reset model that relies on user information that is available in the user profile on the instance.

    This verification is based on the Personal Data verification type.
    Soft PIN Verification Implements a self-service Password Reset model that relies on a Soft PIN that's a six-digit number. Users can enroll for the Soft PIN verification for a process and reset the Soft PIN. ServiceNow® Virtual Agent supports the Soft PIN verification method.