Explore authentication factors for AI voice agents

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Explore authentication factors for AI voice agents

    Authentication factors are essential for securely identifying and verifying callers interacting with AI voice agents. A strong security approach uses multiple authentication factors to ensure that only authorized users gain access. Administrators configure the authentication methods that control caller access to voice agents. Two main categories are supported:

    Show full answer Show less
    • Single-factor authentication: Caller verifies identity using one method from the six supported factors.
    • Multi-factor authentication (MFA): Caller must pass two sequential verification methods (primary and secondary), increasing security especially for sensitive data and actions. MFA is enabled by default but can be disabled via a system property if single-factor authentication is preferred.

    Supported Authentication Factors

    The platform offers six authentication factors, each with practical use cases and security considerations:

    • Time-based one-time password (TOTP): Generates temporary numeric codes via authenticator apps (e.g., Okta Verify). Resistant to interception and suitable for both single-factor and MFA setups. Callers can enter codes by keypad or voice.
    • Push notification - Okta Verify: Sends an approval request to a registered device. No code entry needed, making it a low-friction factor effective as primary or secondary. Requires internet and Okta Verify app.
    • Soft PIN authentication: A 6-digit PIN set up by the caller, usable across AI voice channels. Quick and device-independent but best combined with a second factor for sensitive operations due to potential exposure.
    • SMS One-time passcode (OTP): Sends temporary codes via SMS. Familiar and requires no app but vulnerable to SIM swapping and delivery delays. Recommended not to be used alone for critical actions.
    • Email One-time passwords (OTP): Sends temporary codes to registered email addresses. Easy to deploy but prone to phishing and account compromise, so not advised as a sole factor for sensitive use.
    • Knowledge-based authentication (KBA): Uses pre-configured security questions validated against ServiceNow or external data. Suitable mainly for caller identification and low-risk authentication, but vulnerable to social engineering and not recommended alone for sensitive tasks.

    Practical Considerations for ServiceNow Customers

    When configuring AI voice agents, choose authentication factors that balance usability and security according to your organizational risk profile. Multi-factor authentication, enabled by default, provides stronger protection, especially for sensitive operations. Factors like TOTP and push notifications offer secure and user-friendly options, while Soft PIN, SMS OTP, Email OTP, and KBA are easier to deploy but should be paired with additional factors for higher assurance.

    Callers can interact with these factors using both keypad input and voice commands, supporting natural conversational experiences. Administrators can customize authentication flows and behaviors, including enabling or disabling MFA via system properties.

    For further setup, consider configuring voice input methods for authentication and consult resources on creating AI voice assistants within ServiceNow.

    Authentication factors are the elements used for caller identification and authentication. In secure voice agent environments, the process begins with identifying the caller, followed by authenticating their identity before granting access. A robust security strategy combines multiple factors to confirm that only authorized users interact with AI voice agents.

    When configuring an AI voice service to support natural, conversational exchanges, it’s crucial to select authentication factors that reliably verify a user's identity. Caller access to specific voice agents is determined by the authentication types and methods configured by the administrator.

    In this context, two categories of authentication mechanisms are supported:

    Single-factor authentication

    Single-factor authentication requires the caller to verify their identity through one method. Any of the six supported factors can be configured as a standalone factor.

    Multi-factor authentication

    Multi-factor authentication (MFA) requires callers to pass two verification methods in sequence. This raises the assurance level of the session and restricts access to sensitive data and actions.

    • Primary factor: The initial verification method (for example, Soft PIN or TOTP).
    • Secondary factor: An additional verification method that increases confidence in the caller’s identity (for example, SMS OTP or Okta Verify push notification).
      Note:
      MFA is enabled by default. To make single-factor authentication the default behavior, set the glide.voice.authenticate.mfa_mandatory system property to false.

    Overview of the supported authentication factors

    Time-based one-time password (TOTP) authentication
    TOTP is a temporary numeric code generated by an authenticator app, such as Okta Verify, on the caller's registered device. Codes are generated locally and are resistant to interception, making TOTP well-suited for both single-factor and MFA configurations. Callers can enter the code via keypad or by speaking the digits.
    Push notification - Okta Verify
    Callers approve an authentication request via a push notification sent to their registered mobile device. This factor requires no code entry and is low-friction. It is effective as both a primary and secondary factor. An internet connection and a registered device with Okta Verify installed are required.
    Soft PIN authentication
    Soft PIN is a 6-digit numeric code the caller enrolls in advance. It is device-independent and quick to use across conversational AI channels, such as AI voice agents. Callers can enter the PIN through keypad or by speaking the digits. Because a PIN can be observed or shared, Soft PIN is best used alongside a second factor for sensitive actions.
    SMS One-time passcode (OTP) authentication
    SMS OTP delivers a temporary numeric code to the caller's registered mobile number. It is widely recognized and requires no app installation. Callers can enter the code via keypad or by speaking the digits. SMS OTP is susceptible to SIM-swapping and delivery delays and should not be the sole factor for critical operations.
    Email One-time passwords (OTP) authentication

    Email OTP delivers a temporary numeric code to the caller’s registered email address. It is easy to deploy and familiar to most users. Callers can enter the code via keypad or by speaking the digits. Email OTP is susceptible to email account compromise and phishing, and should not be used as a standalone factor for sensitive operations.

    Knowledge-based authentication (Security Questions)
    KBA presents the caller with pre-configured questions, such as "What are the last four digits of your employee ID?". The answers can be validated against ServiceNow AI Platform tables or external systems via custom scripts. KBA is used primarily for caller identification and low-risk authentication scenarios. Because answers can be social-engineered, KBA should not be used as a standalone factor for sensitive actions. Callers can respond via keypad or by speaking their answer.

    For details on configuring voice input for authentication factors, see Configure voice input for authentication factors.

    To learn more about voice service and how to create them, see Create an AI voice assistant.