Password Reset verifications

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Password Reset Verifications

    The Password Reset application provides various identity verification methods for users requesting a password reset. Each verification method ensures that only authorized users can reset their passwords, enhancing security and user experience.

    Show full answer Show less

    Key Features

    • QA Verification: Users answer security questions during enrollment to verify identity when requesting a reset. Questions are presented in the user's preferred language.
    • Email Verification: A verification code is sent to the user's authorized email. The user must submit this code to confirm their identity. Codes expire after 10 minutes.
    • SMS Verification: Similar to email verification, but the code is sent to an SMS-capable device. Codes expire after 5 minutes, and users can request up to 10 codes per day.
    • Authenticator Verification: Users enter a code from an authenticator app they have paired with their account to verify their identity.
    • Personal Data Confirmation: Users confirm their identity using information from their profile, such as email or username, but this cannot be configured for public access processes.
    • Soft PIN Verification: Users can use a six-digit Soft PIN for identity verification, supported by ServiceNow® Virtual Agent.

    Key Outcomes

    Implementing these verification methods helps ensure secure password resets, reducing the risk of unauthorized access. Customers can customize the verification process based on their organization's needs, including specifying the number of security questions during enrollment and verification. Users can also manage their own verification methods through the Password Reset Enrollment process, enhancing self-service capabilities.

    Each verification specifies the method and process for verifying the identity of the user that is requesting a password reset.

    Verifications included with Password Reset

    The Password Reset application includes the following verifications in the base system. You can create a verification based on either a base-system verification or a verification type (a template).

    Note:
    The Password Reset Windows Application doesn’t support custom verifications.
    Table 1. Password Reset verifications
    QA verification Implements a self-service Password Reset model with questions that are included with the base system or custom questions that the admin defines. While enrolling for the process, the user decides which questions to provide answers for. Questions are presented in the language that the user requested during login.
    When a user requests a password reset, the system poses a specified number of the questions that the user selected during enrollment. The user must answer all questions correctly to verify their identity.
    Figure 1. QA verification on the Verify page
    QA verification on the Verify page.

    For information on the user enrollment experience, see Enroll for the Password Reset program using questions and answers.

    This verification is based on the Security Questions verification type.
    Email verification This verification relies on auto-generated code numbers. You typically implement email verification as a self-service Password Reset model.

    When a user requests a password reset, the system sends a verification code to an email address that the user authorized during enrollment. To verify identity, the user then submits the code on the Password Reset Verify page.

    For information on the user enrollment experience, see Enroll for the Password Reset program using emailed codes.

    The Password Reset Windows Application supports email verification.

    This verification is based on the Email Code verification type.

    By default, a six-digit email verification code is sent to the user through email. The code expires in 10 minutes. Users can attempt to send another code after two minutes. A maximum of 10 email verification codes can be sent to a user in one day.
    SMS verification Implements a self-service or service desk-assisted Password Reset model that relies on auto-generated code numbers.

    When a user requests a password reset, the system sends a code to an SMS-capable device that the user has authorized. To verify identity, the user then submits the code on the Password Reset Verify page.

    You can use the ServiceNow Notify feature to send the codes.

    For information on the user enrollment experience, see Enroll for the Password Reset program using SMS codes.

    This verification is based on the SMS Code verification type.

    When users enroll for email or SMS verification on the Password Reset Enrollment page, they get a code to verify their email address or device. After the users enter the code and select Verify, an associated record is automatically created in the Password Reset Enrollment for Verifications [pwd_enrollment] table even before they select Submit.

    By default, a six-digit verification code is sent to the user's mobile device. The code expires in five minutes. Users can attempt to send another SMS verification code to the device after two minutes. A maximum of 10 codes can be sent to a particular device in one day.

    Note:
    While the record is created automatically in the Password Reset Enrollment for Verifications [pwd_enrollment] table for the email or SMS verification, the associated enrollment check script doesn’t get processed unless users select Submit.
    Authenticator verification Password Reset model that relies on auto-generated code numbers. Users typically implement authenticator verification as a self-service Password Reset model.

    When a user requests a password reset, the user reads a code from the authenticator app on a device that the user has paired. To verify identity, the user then submits the code on the Password Reset Verify page.

    For information on the user enrollment experience, see Enroll for the Password Reset program using an authenticator.

    The Password Reset Windows Application supports Google Authenticator verification.

    This verification is based on the authenticator verification type.
    Personal Data — Confirm Email Address Implements a self-service Password Reset model that relies on user information that is available in the user profile on the instance.

    This verification is based on the Personal Data Confirmation verification type.

    Note:
    Users can't configure this verification for the processes with the active public access.
    Personal Data — Enter User Name Implements a self-service Password Reset model that relies on user information that is available in the user profile on the instance.

    This verification is based on the Personal Data verification type.
    Soft PIN Verification Implements a self-service Password Reset model that relies on a Soft PIN that's a six-digit number. Users can enroll for the Soft PIN verification for a process and reset the Soft PIN. ServiceNow® Virtual Agent supports the Soft PIN verification method.