Two-Factor Authentication

Role required: SDAdmin (for single-instance setups) and SDOrgAdmin (for multi-instance setups).

Two-factor authentication provides an extra layer of security by mandating an additional authentication method along with passwords.

In ServiceDesk Plus, enable two-factor authentication for user logins and admin configurations under Admin > General Settings > Two Factor Authentication > Configuration (for single instance setups) or ESM Directory > Two Factor Authentication > Configuration (for multi-instance setups).

Supported Additional Authentication Modes

Email Verification

Users must authenticate themselves using the code sent to their email. The email verification template is customizable. In the email text, you can use $secretCode, which will be replaced by a unique code each time the email is sent to the users.

For email verification to work, the outgoing mail server must be configured. Learn more.

Google Authenticator

Users must verify themselves with a time-based OTP (TOTP) generated by the Google Authenticator app or any TOTP authenticator app, such as Microsoft Authenticator or Duo Mobile. etc.

Two-factor authentication for User Login

Enable this option to prompt users to authenticate during login.

To enable two-factor authentication for user logins, first select the preferred authentication method.

You can enable TFA for specific users or user types. Hover over criteria fields and click Edit to open the fields in an editable format.

Choose the TFA criteria from available options: user types or users.
For user types, you can enable TFA for all users, only technicians, or only requesters.
For configuring TFA for specific users, select users from the combo box or click to view all users in a pop-up for selection.
Manage multiple criteria using the icons.
When adding multiple criteria, switch between AND and OR operators based on your preference.
Finally, Save the login rule or reset the configuration to default by clicking Clear Rules and Save.

Tip: If you are using a Load Balancer or Reverse Proxy in front of ServiceDesk Plus, ensure to forward the original client IP address in the request headers. This ensures accurate device registration. If the Load Balancer transmits its own IP address instead of the client's, all incoming registration requests will appear to come from a single source. This can trigger throttling limits and cause registration failures across endpoints.
To prevent this, configure your Load Balancer or Reverse Proxy to retain and forward the actual client IP address in the appropriate headers.

When two-factor authentication is enabled, users must enroll themselves during their first login. Learn more.

Backup Codes for User Login

Backup codes can be enabled only for user logins. Enabling backup verification codes allows users to view, download, or generate codes that can be used as an alternative to any of the authentication methods. Learn more.

Two-factor authentication for Admin Configurations

Enabling this option prompts the admin to authenticate themselves while modifying settings under Admin .

Two-factor authentication can be enabled for the following admin configurations:

General and Advanced Security Settings
Password Policy under Security Settings
Page Scripts/Request Field and Form Rules
Webhooks
Adding and editing Custom Functions
Decrypting Integration key
Advanced Portal Settings

To enable two-factor authentication for admin configurations, first select the preferred authentication method.

When this option is enabled, the admin must enroll for two-factor authentication during their first login. Learn more.

Enable TFA Trust to establish a time frame during which the admin can modify settings without re-authentication.

Managing Enrolled Users

You can manage users who have enrolled for two-factor authentication under Admin > General Settings > Two Factor Authentication > Enrolled Users (for single instance setups) or ESM Directory > Two Factor Authentication > Enrolled Users (for multi-instance setups).

Here, you can view details such as username, domain name, and authentication type. Additionally, you can also delete user enrollments by selecting one or more users and clicking Delete.