Password Reset verifications

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Password Reset verifications

    The Password Reset application in ServiceNow provides multiple verification methods to ensure secure user identity confirmation during password reset requests. These verifications support various self-service and service desk-assisted models, enabling organizations to implement flexible, user-friendly password reset processes.

    Show full answer Show less

    Key Verifications Included

    • QA Verification: Uses security questions chosen and answered by users during enrollment. Users must correctly answer a specified number of these questions during password reset. Questions are presented in the user’s login language. This method is based on the Security Questions verification type.
    • Email Verification: Sends a six-digit code to a user-authorized email address. The code expires in 10 minutes, with limits on resend frequency and daily maximums. This method is supported by the Password Reset Windows Application and is based on the Email Code verification type.
    • SMS Verification: Sends a six-digit code to a user-authorized SMS-enabled device. The code expires in 5 minutes, with resend and daily limits similar to email verification. SMS codes can be sent using ServiceNow Notify. This is based on the SMS Code verification type.
    • Authenticator Verification: Uses codes generated by an authenticator app (e.g., Google Authenticator) on a paired device. This method is supported by the Password Reset Windows Application and is based on the authenticator verification type.
    • Personal Data Verifications: Utilize user profile information stored in the instance to confirm identity, such as confirming an email address or entering a user name. These are based on the Personal Data Confirmation and Personal Data verification types, respectively.
    • Soft PIN Verification: Relies on a user-enrolled six-digit Soft PIN. It supports self-service reset of the PIN and is compatible with the ServiceNow Virtual Agent.

    Enrollment and Verification Process

    During enrollment, users provide answers or authorize devices/emails for the chosen verification methods. For email and SMS verifications, codes are sent for initial validation, and enrollment records are created automatically but require user submission to complete processing. Verification codes have expiration times and limits on resend attempts to ensure security and usability.

    Configuration and Customization

    Administrators can create custom verifications based on these base types or templates, though the Password Reset Windows Application does not support custom verifications. The number of security questions required during enrollment and verification can be specified to tailor the process to organizational security policies.

    Practical Benefits for ServiceNow Customers

    • Enables secure, flexible password reset workflows adapted to various user preferences and security requirements.
    • Supports self-service and assisted reset models, reducing help desk workload and improving user experience.
    • Allows configuration of verification methods with built-in safeguards like code expiration and attempt limits.
    • Integrates with native ServiceNow features such as Notify and Virtual Agent for streamlined communications and automation.

    Each verification specifies the method and process for verifying the identity of the user that is requesting a password reset.

    Verifications included with Password Reset

    The Password Reset application includes the following verifications in the base system. You can create a verification based on either a base-system verification or a verification type (a template).

    Note:
    The Password Reset Windows Application doesn’t support custom verifications.
    Table 1. Password Reset verifications
    QA verification Implements a self-service Password Reset model with questions that are included with the base system or custom questions that the admin defines. While enrolling for the process, the user decides which questions to provide answers for. Questions are presented in the language that the user requested during login.
    When a user requests a password reset, the system poses a specified number of the questions that the user selected during enrollment. The user must answer all questions correctly to verify their identity.
    Figure 1. QA verification on the Verify page
    QA verification on the Verify page.

    For information on the user enrollment experience, see Enroll for the Password Reset program using questions and answers.

    This verification is based on the Security Questions verification type.
    Email verification This verification relies on auto-generated code numbers. You typically implement email verification as a self-service Password Reset model.

    When a user requests a password reset, the system sends a verification code to an email address that the user authorized during enrollment. To verify identity, the user then submits the code on the Password Reset Verify page.

    For information on the user enrollment experience, see Enroll for the Password Reset program using emailed codes.

    The Password Reset Windows Application supports email verification.

    This verification is based on the Email Code verification type.

    By default, a six-digit email verification code is sent to the user through email. The code expires in 10 minutes. Users can attempt to send another code after two minutes. A maximum of 10 email verification codes can be sent to a user in one day.
    SMS verification Implements a self-service or service desk-assisted Password Reset model that relies on auto-generated code numbers.

    When a user requests a password reset, the system sends a code to an SMS-capable device that the user has authorized. To verify identity, the user then submits the code on the Password Reset Verify page.

    You can use the ServiceNow Notify feature to send the codes.

    For information on the user enrollment experience, see Enroll for the Password Reset program using SMS codes.

    This verification is based on the SMS Code verification type.

    When users enroll for email or SMS verification on the Password Reset Enrollment page, they get a code to verify their email address or device. After the users enter the code and select Verify, an associated record is automatically created in the Password Reset Enrollment for Verifications [pwd_enrollment] table even before they select Submit.

    By default, a six-digit verification code is sent to the user's mobile device. The code expires in five minutes. Users can attempt to send another SMS verification code to the device after two minutes. A maximum of 10 codes can be sent to a particular device in one day.

    Note:
    While the record is created automatically in the Password Reset Enrollment for Verifications [pwd_enrollment] table for the email or SMS verification, the associated enrollment check script doesn’t get processed unless users select Submit.
    Authenticator verification Password Reset model that relies on auto-generated code numbers. Users typically implement authenticator verification as a self-service Password Reset model.

    When a user requests a password reset, the user reads a code from the authenticator app on a device that the user has paired. To verify identity, the user then submits the code on the Password Reset Verify page.

    For information on the user enrollment experience, see Enroll for the Password Reset program using an authenticator.

    The Password Reset Windows Application supports Google Authenticator verification.

    This verification is based on the authenticator verification type.
    Personal Data — Confirm Email Address Implements a self-service Password Reset model that relies on user information that is available in the user profile on the instance.

    This verification is based on the Personal Data Confirmation verification type.

    Note:
    Users can't configure this verification for the processes with the active public access.
    Personal Data — Enter User Name Implements a self-service Password Reset model that relies on user information that is available in the user profile on the instance.

    This verification is based on the Personal Data verification type.
    Soft PIN Verification Implements a self-service Password Reset model that relies on a Soft PIN that's a six-digit number. Users can enroll for the Soft PIN verification for a process and reset the Soft PIN. ServiceNow® Virtual Agent supports the Soft PIN verification method.