Password Reset verifications

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Password Reset verifications

    The Password Reset application in ServiceNow Yokohama release provides multiple verification methods to securely verify a user's identity during the password reset process. These verifications ensure users requesting password resets are properly authenticated, reducing risk and enhancing security. The base system includes several built-in verification types, each supporting different self-service or assisted reset models.

    Show full answer Show less

    Key Verifications Included

    • QA Verification: Users enroll by answering security questions they select. During reset, users must correctly answer a specified number of these questions presented in their login language.
    • Email Verification: Sends a six-digit code to the user's authorized email. The code expires after 10 minutes. Users can request a new code after 2 minutes, with a daily limit of 10 codes. Supported by the Password Reset Windows Application.
    • SMS Verification: Sends a six-digit code via SMS to a user-authorized device. The code expires after 5 minutes, with similar resend intervals and daily limits as email. Supports both self-service and service desk-assisted flows. Uses ServiceNow Notify. Users must verify their device enrollment code before submitting.
    • Authenticator Verification: Users provide a code from a paired authenticator app (e.g., Google Authenticator) during reset. Supported by the Password Reset Windows Application.
    • Personal Data Confirmations: Verifications rely on profile data such as confirming an email address or entering a username. These are self-service but cannot be used with active public access.
    • Soft PIN Verification: Uses a six-digit Soft PIN for identity verification. Users can enroll and reset their Soft PIN. Supported by the ServiceNow Virtual Agent.

    Additional Features and Configuration

    • Security Questions verification allows specifying how many questions to display both during enrollment and verification.
    • For SMS and Email verifications, enrollment creates records automatically but requires user submission to complete enrollment processing.
    • Personal data verification types generate questions based on user profile information stored in the User table.
    • Custom verifications can be created based on existing base-system verifications or templates, but custom verifications are not supported in the Password Reset Windows Application.

    Practical Benefits for ServiceNow Customers

    • Multiple verification options provide flexibility to meet different security policies and user preferences.
    • Self-service verification models reduce help desk workload and improve user experience with faster password recovery.
    • Integrated enrollment and verification workflows ensure secure and seamless password reset processes.
    • Configurable parameters like code expiration, retry intervals, and daily limits help balance security and usability.

    Each verification specifies the method and process for verifying the identity of the user that is requesting a password reset.

    Verifications included with Password Reset

    The Password Reset application includes the following verifications in the base system. You can create a verification based on either a base-system verification or a verification type (a template).

    Note:
    The Password Reset Windows Application doesn’t support custom verifications.
    Table 1. Password Reset verifications
    QA verification Implements a self-service Password Reset model with questions that are included with the base system or custom questions that the admin defines. While enrolling for the process, the user decides which questions to provide answers for. Questions are presented in the language that the user requested during login.
    When a user requests a password reset, the system poses a specified number of the questions that the user selected during enrollment. The user must answer all questions correctly to verify their identity.
    Figure 1. QA verification on the Verify page
    QA verification on the Verify page.

    For information on the user enrollment experience, see Enroll for the Password Reset program using questions and answers.

    This verification is based on the Security Questions verification type.
    Email verification This verification relies on auto-generated code numbers. You typically implement email verification as a self-service Password Reset model.

    When a user requests a password reset, the system sends a verification code to an email address that the user authorized during enrollment. To verify identity, the user then submits the code on the Password Reset Verify page.

    For information on the user enrollment experience, see Enroll for the Password Reset program using emailed codes.

    The Password Reset Windows Application supports email verification.

    This verification is based on the Email Code verification type.

    By default, a six-digit email verification code is sent to the user through email. The code expires in 10 minutes. Users can attempt to send another code after two minutes. A maximum of 10 email verification codes can be sent to a user in one day.
    SMS verification Implements a self-service or service desk-assisted Password Reset model that relies on auto-generated code numbers.

    When a user requests a password reset, the system sends a code to an SMS-capable device that the user has authorized. To verify identity, the user then submits the code on the Password Reset Verify page.

    You can use the ServiceNow Notify feature to send the codes.

    For information on the user enrollment experience, see Enroll for the Password Reset program using SMS codes.

    This verification is based on the SMS Code verification type.

    When users enroll for email or SMS verification on the Password Reset Enrollment page, they get a code to verify their email address or device. After the users enter the code and select Verify, an associated record is automatically created in the Password Reset Enrollment for Verifications [pwd_enrollment] table even before they select Submit.

    By default, a six-digit verification code is sent to the user's mobile device. The code expires in five minutes. Users can attempt to send another SMS verification code to the device after two minutes. A maximum of 10 codes can be sent to a particular device in one day.

    Note:
    While the record is created automatically in the Password Reset Enrollment for Verifications [pwd_enrollment] table for the email or SMS verification, the associated enrollment check script doesn’t get processed unless users select Submit.
    Authenticator verification Password Reset model that relies on auto-generated code numbers. Users typically implement authenticator verification as a self-service Password Reset model.

    When a user requests a password reset, the user reads a code from the authenticator app on a device that the user has paired. To verify identity, the user then submits the code on the Password Reset Verify page.

    For information on the user enrollment experience, see Enroll for the Password Reset program using an authenticator.

    The Password Reset Windows Application supports Google Authenticator verification.

    This verification is based on the authenticator verification type.
    Personal Data — Confirm Email Address Implements a self-service Password Reset model that relies on user information that is available in the user profile on the instance.

    This verification is based on the Personal Data Confirmation verification type.

    Note:
    Users can't configure this verification for the processes with the active public access.
    Personal Data — Enter User Name Implements a self-service Password Reset model that relies on user information that is available in the user profile on the instance.

    This verification is based on the Personal Data verification type.
    Soft PIN Verification Implements a self-service Password Reset model that relies on a Soft PIN that's a six-digit number. Users can enroll for the Soft PIN verification for a process and reset the Soft PIN. ServiceNow® Virtual Agent supports the Soft PIN verification method.