Time limited authentication with SMS - Twilio Tutorial

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 4 minutes to read

    • Set up time limited authentication with MFA factors such as SMS using Twilio.

    Before you begin

    Role required: admin

    Plugins required:
    • com.snc.authenticate.time_limited_authentication (Time Limited Authentication)
    • com.snc.authentication.sms_mfa (Multi-factor authentication with SMS)
    Note:
    Time limited authentication (TLA) is specific to ServiceNow instance, the customized links for users can only be created within ServiceNow.

    The tutorial instructions provided enable the admin to provide a link-based login with SMS as second factor (MFA) for users with a specific role.

    After a successful configuration, the system generates a link, and then shares the link with the user through the notification (Email/SMS) channel. Selecting the link, the user is prompted to specify the OTP sent to Email or SMS factor based on user role (configuration).

    Note:
    • TLA should always be followed by MFA and MFA should be enabled by an admin using Adaptive Authentication for TLA login. To learn more about how to configure MFA with Adaptive Authentication, see MFA (Multi-Factor Authentication) context.
    • TLA should be used for the users who have limited privileges.

    Procedure

    1. Creating a Twilio configuration.
      1. Create a Twilio test account.
        For more information, see Twilio.
      2. Navigate to All > Notify > Administration > Twilio Direct Configuration.
      3. Provide the Account SID and Auth token (created from Twilio) and save the record.
      Note:
      You can create your own provider configuration and use that for TLA. In this example, it’s Twilio. To learn more about how to create an MFA provider configuration, see Configure MFA Provider.
    2. Configure and enable the time limited authentication (TLA) record.
      1. Navigate to All > Time Limited Authentication Config records and select New.
      2. On the form, fill the fields.
        Table 1. Time Limited Authentication Properties
        Field Description
        Name Name of the record.
        One time use Select to use the TLA link once.
        Expiry Specify the seconds for the link expiry. The default is 45 minutes.
        Failed Redirect Enter the URL to redirect users after a failed authentication.
        Single Sign-On Script Details of the SSO script that you want to use.
        Active Option to make the configuration active.
        Max login attempts Specify the number of attempts allowed with the generated TLA link for login. Clear the One time use check box to provide the max number of attempts.
        External logout redirect Enter the URL to redirect users after logout.
      3. Select Submit.
        TLA Record
      4. Navigate to All > Multi-Provider SSO > Administration > Properties and enable the Enable multiple provider SSO property and Save.
    3. Allowing TLA to only a specific user persona using the post-authentication context policy.
      1. Navigate to Roles and create a role.
        For example: remote_worker.
      2. Create a user with a valid email id and mobile number.
        To learn how to create a user, see Create a user.
      3. Assign the role to the user.
        To learn how to assign the role to the user, see Assign a role to a user.
      4. To create a role filter criteria, navigate to All > Adaptive Authentication > Role Filter Criteria, create a filter remoteworkerrole, and condition Role is remote_worker.
        Role Filter Criteria
      5. To add a policy condition based on the deny policy context based on the IdP and role filter criteria, navigate to All > Adaptive Authentication > Post Authentication Context.
      6. Select the information icon and Open the Record.
        Deny Policy
      7. In the Policy Input, select Edit and add the role (remoteworkerrole) and Save.
        Edit Members
      8. In the Policy Condition, add the condition for the policy input and Submit the record.
    4. Configure the step-up authentication policy - MFA context.
      1. Navigate to All > Multi-factor Criteria.
      2. Select the Role based multi-factor authentication and add the role under Multi-factor Roles section and Update.
        In this example: remote_worker.

        MFA - Role Criteria

      3. Navigate to All > Adaptive Authentication > MFA Context.
      4. Make sure that these fields are set as the following:
        • Default Policy field is Step-up MFA Policy
        • Step-Up MFA Policy is Step-up MFA Policy
      5. Select the Information icon and Open Record.
        Step-Up MFA Policy
      6. On the Step-Up MFA Policy form, in the Policy Inputs, select Edit.
      7. Add the Role based multi-factor authentication to the list and Save.
        In this example, remoteworkerrole.
      8. In the Policy Condition, select Enforce MFA if Role based or User based MFA settings are true.
      9. In the Enforce MFA if Role based or User based MFA settings are true page, make sure Role Based MFA is true.
    5. Enforce the MFA to use SMS as an MFA factor policy.
      1. Navigate to All > Adaptive Authentication > MFA Context.
      2. On the MFA Context page, select MFA Factor Policies and select a policy Display SMS OTP as an MFA Factor Policy.
      3. Select Edit and add remoteworkerrole in the Policy Inputs.
      4. Select Policy Conditions and create a Policy condition.
        SMS - condition
      5. Select Submit.

        The TLA link generated and shared to the users assigned with remoteworkerrole as role will be promoted to use the SMS code as a second factor to log in the instance.

    6. Enable the other required properties.
      1. Navigate to All > Multi-factor Authentication > Properties.
      2. Select the following check boxes.
        • Enable Multi-factor authentication
        • Enable Multi-factor Authentication with SSO
      3. Save the record.
      4. Navigate to All > Adaptive Authentication > Authentication Policies > Properties.
      5. Select the Enable Authentication Policy check box.
      6. Save the record.
    7. Generate a TLA link – Example.
      1. Navigate to All > System Definition > Scripts – Background.
      2. Use the following API by providing user sys_id and config id.
        var tla=new global.TimeLimitedAuthentication(); gs.info(tla.generateNonce("user_sysid", "config1_sys_id","IAR2"));
        Note:
        The source (IAR2) isn’t a required parameter.
      3. The Query Parameter is returned as shown:
        nonce=VCeinfboDt0M&glide_sso_id=b3277f1b44351110f8779b5a2d9909f3&user=3b0277d344351110f8779b5a2d99099a&source=IAR2
      4. Create a URL in the following format:
        https://<instance-url> /login_with_sso.do?uri=<encoded url>& nonce=2olIQSxdgkjs&glide_sso_id=0c15bf09c3711110c5ec4e483c40dd7a&user=62826bf03710200044e0bfc8bcbe5df1&source=IAR 
    8. Select the URL, and the following MFA screen is displayed for login.