Explore authentication factors for AI voice agents

  • Release version: Yokohama
  • Updated December 3, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Explore Authentication Factors for AI Voice Agents

    Authentication factors are crucial for verifying caller identity in AI voice agent environments. The process begins with identifying the caller and authenticating their identity, ensuring that only authorized users can access the voice agents. A comprehensive security strategy employs multiple authentication factors to enhance protection.

    Show full answer Show less

    Key Features

    • Single-Factor Authentication: This method requires users to verify their identity through one method. Supported factors include:
      • Knowledge-Based Authentication (KBA): Users answer pre-set security questions.
      • Soft PIN: A 6-digit personal numeric code required for user verification.
      • Time-Based One-Time Password (TOTP): A temporary numeric code generated by an authentication app.
    • Multi-Factor Authentication (MFA): This method involves verifying identity with two methods, enhancing security. For example, users may use a Soft PIN as the primary factor and an authenticator app code as the secondary factor.

    Key Outcomes

    Utilizing these authentication methods ensures a secure environment for AI voice agents. TOTP provides strong protection, while Soft PIN and SMS OTP offer convenience for low-risk scenarios. KBA is suitable for low-risk operations but should not be the sole method for sensitive tasks. Administrators can adjust settings for mandatory MFA to tailor the security according to their needs.

    Authentication factors are the elements used for caller identification and authentication. In secure voice agent environments, the process begins with identifying the caller, followed by authenticating their identity before granting access. A robust security strategy combines multiple factors to confirm that only authorized users interact with AI voice agents.

    When configuring an AI voice service to support natural, conversational exchanges, it’s crucial to select authentication factors that reliably verify a user's identity. Caller access to specific voice agents is determined by the authentication types and methods configured by the administrator.

    In this context, two categories of authentication mechanisms are supported:

    Single-factor authentication

    Single-factor authentication requires the user to confirm the identity through a single verification method. Within the ServiceNow AI Platform voice agent configuration, you can select from three supported authentication factors:

    • Knowledge-based authentication (KBA)
    • Soft PIN
    • Time-based one-time Password (TOTP)

    Each method offers a distinct approach to user verification, enabling for secure access tailored to the needs of the service.

    Multi-factor authentication

    Multi-factor authentication (MFA) requires users to verify their identity with two methods, such as a PIN and an authenticator app code. This approach enhances security and user confidence by making accounts and voice services harder for attackers to compromise.

    • Primary factor: Initial verification method (such as Soft PIN, TOTP).
    • Secondary factor: An additional verification method that strengthens security (such as sending push notifications through Okta Verify).
      Note:
      Multi-factor authentication is selected as the primary factor by default, you can change the default behavior by setting the glide.voice.authenticate.mfa_mandatory property to false.

    Overview of the supported authentication factors

    Time-based one-time password (TOTP) authentication
    • TOTP is a temporary numeric code generated by apps like Okta Verify on the user's registered device.
    • TOTP is recommended for users needing stronger protection, as codes are generated locally and are resistant to interception.
    Push notification - Okta Verify
    • Users approve authentication requests via a push notification on their registered mobile device.
    • The factor is fast, convenient, and offers high security as a second factor, but requires an internet connection and secure device management.
    SoftPIN authentication
    • Soft PIN is a 6-digit personal numeric the user is enrolled.
    • The factor is suitable for verifying returning users in low-risk, self-service scenarios. It’s quick to use and device-independent but can be vulnerable to observation or reuse.
    SMS One-time passcode (OTP) authentication
    • SMS OTP is a temporary numeric code sent to the user's registered mobile phone.
    • SMS OTP is easy to deploy and familiar. However, it’s susceptible to SIM-swapping and delivery issues and shouldn’t be the only factor for critical operations.
    Knowledge-based authentication (Security Questions)
    • Knowledge-based authentication (KBA) are pre-set security questions configured by the admin, such as “What are the last four digits of your SSN?
    • Mostly used for low-risk operations, KBA requires no additional device but isn’t secure and shouldn’t standalone for sensitive actions.

    To learn more about voice service and how to create them, see Create an AI voice assistant.