Time-limited authentication (TLA) is a new feature that ServiceNow has introduced to further enhance the security of ServiceNow instances from the Utah release.
First things first. What exactly is TLA?
TLA is an authentication mechanism that allows access to a system or service for a limited period. This is essential in scenarios where users need temporary access to a system, and it is not desirable for them to stay logged in indefinitely. This can ensure that a user is automatically logged out after the set period, reducing the risk of unauthorised access to resources.
One of the significant advantages of TLA is that it reduces the risk of unauthorised access to sensitive information. Links generated with TLA are unique and can only be used once. The link is valid only for a specific period, and once the time expires, the link becomes invalid. This ensures that the link cannot be used by an unauthorised actor to access the system, and it reduces the risk of account hijacking or data breaches.
So how does it work in ServiceNow?
The TLA feature in ServiceNow is designed to ensure that only the intended users can access the system during the period that the link is valid. Admins configure link-based authentication and that can be shared with the user through email or SMS, and the user can use the link to log in to the instance with the required privileges.
To ensure that the link is unique, TLA uses a mechanism called a nonce. A nonce is a random or pseudo-random number that is used only once. The nonce is included in the link along with other data, such as a timestamp or a cryptographic hash of the message. The receiver of the message or transaction (i.e. the ServiceNow instance) can then verify that the nonce has not been used before and that the message or transaction is unique.
TLA can also be used in combination with multi-factor authentication (MFA) to provide an additional layer of security for the authentication process. The user is required to provide a second factor, such as a one-time password (OTP), or SMS. Logins using TLA is controlled through Adaptive Authentication policies.
Hold Up. What’s Adaptive Authentication?
Adaptive authentication uses policies to evaluate authentication requests and then either deny or allow access to an instance based on the conditions specified. Adaptive authentication policies and contexts restrict access to a ServiceNow instance based on source IP addresses, the role(s) the user has, and even what group they’re in. This can be for both users (humans) and API calls.
What are some use cases for TLA?
- Contractors: TLA can be used to provide contractors with temporary access to specific resources within the ServiceNow instance.
- Third-party vendors: ServiceNow customers often have third-party vendors who need temporary access to specific resources within a ServiceNow environment. TLA can be used to provide these vendors with temporary access to the system, ensuring that they can only access the resources they need for the required time.
- Compliance requirements: Many organisations are required to comply with regulations such as HIPAA, GDPR, or PCI-DSS, which have strict requirements for access control and user authentication.
- High-risk systems: Some ServiceNow deployments may be high-risk and require additional security measures to prevent unauthorised access. TLA can be used as an additional layer of security for these systems.
- Test environments: Sometimes there’s a need to restrict access to sub-production environments for certain user cohorts to conduct testing.
In conclusion…
Time-limited authentication in ServiceNow will provide several benefits, including enhanced security, reduced risk of unauthorised access, and potential for improved user experience and is an excellent addition to the platform that enhances the security posture for ServiceNow customers.