Explore authentication factors for AI voice agents

  • Release version: Zurich
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Explore authentication factors for AI voice agents

    Authentication factors are essential for securely identifying and authenticating callers interacting with AI voice agents in ServiceNow. A strong security strategy uses multiple authentication factors to ensure only authorized users gain access. Administrators configure the types and methods of authentication to control caller access to specific voice agents.

    Show full answer Show less

    Two main authentication categories are supported:

    • Single-factor authentication: Verifies identity using one authentication method from the six supported factors.
    • Multi-factor authentication (MFA): Requires two sequential verification methods, increasing session security and restricting access to sensitive data. MFA is enabled by default but can be disabled to allow single-factor authentication.

    Supported Authentication Factors

    ServiceNow AI voice agents support six authentication factors, each with practical applications depending on security requirements:

    • Time-based One-Time Password (TOTP): Numeric codes generated by authenticator apps like Okta Verify on the caller’s registered device. Resistant to interception, suitable for single or multi-factor use. Input via keypad or voice.
    • Push Notification - Okta Verify: Callers approve authentication requests via push notifications on a registered mobile device. Requires internet and app installation. Low friction and effective as primary or secondary factor.
    • Soft PIN: A 6-digit code enrolled by the caller, device-independent and usable across AI voice channels. Best combined with a second factor for sensitive operations due to risk of observation or sharing.
    • SMS One-Time Passcode (OTP): Temporary numeric code sent to the caller’s registered mobile number. Easy to use but vulnerable to SIM-swapping and delivery delays; not recommended as sole factor for critical actions.
    • Email OTP: Temporary numeric code sent to the registered email address. Simple deployment but susceptible to email compromise and phishing, so not advised as standalone for sensitive tasks.
    • Knowledge-Based Authentication (KBA): Security questions validated against internal or external data, used mainly for identification and low-risk authentication. Vulnerable to social engineering, so not recommended alone for sensitive actions. Supports keypad or voice responses.

    Practical Considerations for ServiceNow Customers

    • Choose authentication factors based on security needs and user convenience, combining multiple factors to enhance protection.
    • MFA is enabled by default to safeguard sensitive access; it can be disabled via system property for simpler scenarios.
    • Voice input is supported for entering codes or responses, enabling natural conversational interactions.
    • Soft PIN and KBA are suitable for less sensitive use cases or as part of multi-factor setups.
    • Factors like SMS and Email OTP, while easy to deploy, should be supplemented with additional verification for critical operations.

    Configuring these authentication factors correctly allows ServiceNow customers to implement secure, user-friendly AI voice agents that protect sensitive information and maintain trusted interactions.

    Authentication factors are the elements used for caller identification and authentication. In secure voice agent environments, the process begins with identifying the caller, followed by authenticating their identity before granting access. A robust security strategy combines multiple factors to confirm that only authorized users interact with AI voice agents.

    When configuring an AI voice service to support natural, conversational exchanges, it’s crucial to select authentication factors that reliably verify a user's identity. Caller access to specific voice agents is determined by the authentication types and methods configured by the administrator.

    In this context, two categories of authentication mechanisms are supported:

    Single-factor authentication

    Single-factor authentication requires the caller to verify their identity through one method. Any of the six supported factors can be configured as a standalone factor.

    Multi-factor authentication

    Multi-factor authentication (MFA) requires callers to pass two verification methods in sequence. This raises the assurance level of the session and restricts access to sensitive data and actions.

    • Primary factor: The initial verification method (for example, Soft PIN or TOTP).
    • Secondary factor: An additional verification method that increases confidence in the caller’s identity (for example, SMS OTP or Okta Verify push notification).
      Note:
      MFA is enabled by default. To make single-factor authentication the default behavior, set the glide.voice.authenticate.mfa_mandatory system property to false.

    Overview of the supported authentication factors

    Time-based one-time password (TOTP) authentication
    TOTP is a temporary numeric code generated by an authenticator app, such as Okta Verify, on the caller's registered device. Codes are generated locally and are resistant to interception, making TOTP well-suited for both single-factor and MFA configurations. Callers can enter the code via keypad or by speaking the digits.
    Push notification - Okta Verify
    Callers approve an authentication request via a push notification sent to their registered mobile device. This factor requires no code entry and is low-friction. It is effective as both a primary and secondary factor. An internet connection and a registered device with Okta Verify installed are required.
    Soft PIN authentication
    Soft PIN is a 6-digit numeric code the caller enrolls in advance. It is device-independent and quick to use across conversational AI channels, such as AI voice agents. Callers can enter the PIN through keypad or by speaking the digits. Because a PIN can be observed or shared, Soft PIN is best used alongside a second factor for sensitive actions.
    SMS One-time passcode (OTP) authentication
    SMS OTP delivers a temporary numeric code to the caller's registered mobile number. It is widely recognized and requires no app installation. Callers can enter the code via keypad or by speaking the digits. SMS OTP is susceptible to SIM-swapping and delivery delays and should not be the sole factor for critical operations.
    Email One-time passwords (OTP) authentication

    Email OTP delivers a temporary numeric code to the caller’s registered email address. It is easy to deploy and familiar to most users. Callers can enter the code via keypad or by speaking the digits. Email OTP is susceptible to email account compromise and phishing, and should not be used as a standalone factor for sensitive operations.

    Knowledge-based authentication (Security Questions)
    KBA presents the caller with pre-configured questions, such as "What are the last four digits of your employee ID?". The answers can be validated against ServiceNow AI Platform tables or external systems via custom scripts. KBA is used primarily for caller identification and low-risk authentication scenarios. Because answers can be social-engineered, KBA should not be used as a standalone factor for sensitive actions. Callers can respond via keypad or by speaking their answer.

    For details on configuring voice input for authentication factors, see Configure voice input for authentication factors.

    To learn more about voice service and how to create them, see Create an AI voice assistant.