Explore authentication factors for AI voice agents
Authentication factors are the elements used for caller identification and authentication. In secure voice agent environments, the process begins with identifying the caller, followed by authenticating their identity before granting access. A robust security strategy combines multiple factors to confirm that only authorized users interact with AI voice agents.
When configuring an AI voice service to support natural, conversational exchanges, it’s crucial to select authentication factors that reliably verify a user's identity. Caller access to specific voice agents is determined by the authentication types and methods configured by the administrator.
In this context, two categories of authentication mechanisms are supported:
Single-factor authentication
Single-factor authentication requires the caller to verify their identity through one method. Any of the six supported factors can be configured as a standalone factor.Multi-factor authentication
Multi-factor authentication (MFA) requires callers to pass two verification methods in sequence. This raises the assurance level of the session and restricts access to sensitive data and actions.
- Primary factor: The initial verification method (for example, Soft PIN or TOTP).
- Secondary factor: An additional verification method that increases confidence in the caller’s identity (for example, SMS OTP or Okta Verify push notification).Note:MFA is enabled by default. To make single-factor authentication the default behavior, set the glide.voice.authenticate.mfa_mandatory system property to false.
Overview of the supported authentication factors
- Time-based one-time password (TOTP) authentication
- TOTP is a temporary numeric code generated by an authenticator app, such as Okta Verify, on the caller's registered device. Codes are generated locally and are resistant to interception, making TOTP well-suited for both single-factor and MFA configurations. Callers can enter the code via keypad or by speaking the digits.
- Push notification - Okta Verify
- Callers approve an authentication request via a push notification sent to their registered mobile device. This factor requires no code entry and is low-friction. It is effective as both a primary and secondary factor. An internet connection and a registered device with Okta Verify installed are required.
- Soft PIN authentication
- Soft PIN is a 6-digit numeric code the caller enrolls in advance. It is device-independent and quick to use across conversational AI channels, such as AI voice agents. Callers can enter the PIN through keypad or by speaking the digits. Because a PIN can be observed or shared, Soft PIN is best used alongside a second factor for sensitive actions.
- SMS One-time passcode (OTP) authentication
- SMS OTP delivers a temporary numeric code to the caller's registered mobile number. It is widely recognized and requires no app installation. Callers can enter the code via keypad or by speaking the digits. SMS OTP is susceptible to SIM-swapping and delivery delays and should not be the sole factor for critical operations.
- Email One-time passwords (OTP) authentication
-
Email OTP delivers a temporary numeric code to the caller’s registered email address. It is easy to deploy and familiar to most users. Callers can enter the code via keypad or by speaking the digits. Email OTP is susceptible to email account compromise and phishing, and should not be used as a standalone factor for sensitive operations.
- Knowledge-based authentication (Security Questions)
- KBA presents the caller with pre-configured questions, such as "What are the last four digits of your employee ID?". The answers can be validated against ServiceNow AI Platform tables or external systems via custom scripts. KBA is used primarily for caller identification and low-risk authentication scenarios. Because answers can be social-engineered, KBA should not be used as a standalone factor for sensitive actions. Callers can respond via keypad or by speaking their answer.
For details on configuring voice input for authentication factors, see Configure voice input for authentication factors.
To learn more about voice service and how to create them, see Create an AI voice assistant.