White Papers Special Cases and Advanced Topics Password Management for ISP Subscribers
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Password Management for ISP Subscribers

Internet Service Providers face a significant support cost due to users who forget their network connection or e-mail password.

As ISPs scale to hundreds of thousands and millions of end customers, the cost to support repetitive problems such as password resets rises to significant levels, reaching millions of dollars annually.

Given the significant cost, it is advantageous to invest in automation to eliminate recurring user support problems. Password reset is often the most common problem, and is arguably the easiest problem to address with self-service technologies.


Internet Service Providers face a significant support cost due to users who forget their network connection or e-mail password.

As ISPs scale to hundreds of thousands and millions of end customers, the cost to support repetitive problems such as password resets rises to significant levels, reaching millions of dollars annually.

Given the significant cost, it is advantageous to invest in automation to eliminate recurring user support problems. Password reset is often the most common problem, and is arguably the easiest problem to address with self-service technologies.

The remainder of this paper is organized as follows:

Password reset as a recurrent support call

The problem

Consolidation in the ISP business is producing ISPs with large user populations -- ranging from hundreds of thousands to millions.

When ISP subscribers experience technical problems, they either access a subscriber service web site or call a support line. Problems that disrupt Internet access are clearly not amenable to resolution with a self-service site, and so drive support call volume.

One recurring problem that causes connectivity problems is a forgotten or mistyped password. Users who must type a current password to connect to the network may forget their password, and consequently be unable to connect. These users invariably call for service.

Even if password problems are relatively infrequent for a single user (e.g., occurring annually or even less often), as the user population scales the cost becomes significant. For example, an ISP help desk that resolves 30,000 password problem calls monthly, and where such calls only cost $10 to resolve, Gartner     and Metagroup figures estimate $25 to $35 per call for this     type of problem in internal corporate help desks (note) will incur a total annual charge of $3,600,000 to service this problem.

Types of passwords

ISP subscribers generally have at least two types of passwords:

A single subscriber will often have multiple e-mail accounts attached to a single network access account.

Connection passwords are problematic because their impact is to prevent a user from connecting to the network. Users who forgot their connection passwords cannot access the ISP web site, and so cannot use a web-based self-service password reset system.

E-mail and other application passwords are easier to manage because users can access a self-service web application to address problems with them.

Initial vs. ongoing problems

Subscribers may have password problems when their initial network connection is configured, or thereafter.

If the problem is when making the initial network connection, no assumptions can be made about the configuration of the subscriber's workstation or about any agents installed on that computer.

If the problem occurs subsequent to initial, successful configuration, then client software may have been made available on the subscriber's computer, and may be used to assist in an automated problem resolution process.

Cost model


The cost of password problems can be calculated using the following variables:

Variable Units Description
Pinitial Number/month Number of password problems per month that take place during subscriber activation.
Pongoing Number/month Number of password problems per month that affect already-configured subscribers.
Cinitial $/problem Cost of password problems at activation time.
Congoing $/problem Cost of password problems affecting configured subscribers.
Cannual $/year Total cost of password problems per year.


Cannual = 12 x ( Pinitial x Cinitial + Pongoing x Congoing )

For instance, consider an example ISP where:

Variable Value
Pinitial 20000/month
Pongoing 10000/month
Cinitial $20
Congoing $10


Cannual = 12 x ( 20000 x 20 + 10000 x 10 ) = $6,000,000/year

The Password Manager password management system

Password Manager is an integrated solution for managing user credentials, across multiple systems and applications. Organizations depend on Password Manager to simplify the management of those credentials for users, to reduce IT support cost and to improve the security of login processes.

Password Manager includes password synchronization, self-service password reset, enterprise single sign-on, PIN resets for tokens and smart cards, enrollment of security questions and biometrics and emergency recovery of full disk encryption keys.

Password Manager reduces the cost of password management using:

Password Manager strengthens security by providing:

To find out more about Password Manager, visit http://Hitachi-ID.com/password-manager.

Password Manager can be used to reduce the volume of password problem calls that reach an ISP's support desk as follows:

The Password Manager service can enforce password policies over new passwords. It supports rules for length, composition, history, dictionary words, etc.

Users who forget their password, and wish to perform a self-service password reset, must provide some non-password authentication. This normally means that they must answer a sequence of personal or secret questions.

Data for non-password user authentication may be collected by Password Manager itself, or accessed on existing systems (e.g., subscriber billing system, subscriber account database, etc.). Where Password Manager is configured to collect new or supplementary authentication data, it generally prompts users to register by e-mail, and users respond by clicking on a URL embedded in their e-mail; entering their login ID and current password; and filling in blank answers on a Q&A form.

Deployment challenges and design choices

Providing password management in general, and self-service password reset in particular, is challenging in an ISP environment:


A population of hundreds of thousands of users will generate tens of thousands of password resets per month. These problems normally occur during "prime time" for residential subscribers -- a 4 hour/day block in the evenings.

Consider an ISP that generates 30,000 password problems/month. Assume that half of these problems happen during a four hour peak period, on week-days:

RATEpeak = ( 30000 x [1]/[2] ) / ( 4 x 5 x 4 ) = 187/hour.

From this analysis, it is clear that a password management system must be able to handle at least hundreds, and perhaps thousands of subscriber login sessions per hour.

A password management system deployed by an ISP must also supports at least hundreds of thousands of users, each of which may have multiple login IDs on multiple target systems (connection, e-mail, etc.).


Users who experience a password problem while not connected must either get service on a telephone or must use client software that automatically connects to the network with some special access, resolves the user's problem, and disconnects.

The diversity of subscriber workstation types (Windows 9x, Windows NT, Windows 2000, Windows XP, MacOS, Linux, etc.) , combined with the many types of dial-up software (built-in RAS, PPPoE dialers, etc.) make the implementation of a dial-fix-and-hangup client program very difficult.

A client-side dialer may be difficult to deploy, but client-side and possibly personalized instructions are appropriate. It is not unreasonable for software installed on the client software to include instructions about:

These instructions may be personalized at installation time to refer to the subscriber's local support dial-up number, the subscriber's personal account number, etc.

User education

Any self-service problem resolution system targeted at a consumer population must be tolerant of subscribers who are not very computer literate. Consumer-oriented systems do not have the luxury of roll-out with a user education program.

As a result, a password management system for consumers should be extremely easy to use, intuitive, and require little or no explanation.


A password management system deployed at an ISP must obviously manage passwords on the ISP's authentication infrastructure. This typically means LDAP directories and RADIUS services from various vendors.

Architecture, scalability and integration


(2) Password Manager has been deployed in very large organizations, including:

This level of scalability is a result of many features:

In addition, Password Manager incorporates many features that, while not directly performance-related, are needed to operate in large, complex networks:

Proposed architecture

Following is a network architecture diagram for deployment of Password Manager in an ISP environment:


    Password Manager Service Provider Architecture Diagram (3)

In the diagram:

Integration with RADIUS servers

Password Manager can manage passwords on many types of systems, including:

Projected ROI


Cost recovery model

The return on investment (ROI) for an ISP deploying Password Manager is entirely due to call redirection and avoidance. In turn, these figures depend heavily on user adoption rates.

Extending the cost model in (1), we define two new variables to model user adoption rates:

Variable Units Description
Ainitial fraction User adoption rate for self-service problem resolution at network activation time.
Aongoing fraction User adoption rate for self-service problem resolution for configured subscribers.
Sannual $/year Projected annual cost savings.


Sannual = 12 x ( Ainitial x Pinitial x Cinitial + Aongoing x Pongoing x Congoing )

Extending the example from (1), using very conservative user adoption rates:

Variable Value
Ainitial 25%
Aongoing 35%


Cannual = 12 x ( 0.25 x 20000 x 20 + 0.35 x 10000 x 10 ) = $1,620,000/year

Clearly, this is a significant cost savings.

As user adoption rates escalate, cost savings increase. Continuing with the same examples, if user adoption rates can be increased:

Variable Value
Ainitial 40%
Aongoing 75%


Cannual = 12 x ( 0.40 x 20000 x 20 + 0.75 x 10000 x 10 ) = $2,820,000/year

Rapid deployment: buy vs. build

As illustrated in both (1) and (4), the problem of password resets is a costly one for ISPs.

Cost savings from a password reset system are substantial -- in our example of an ISP that fields 30,000 password problems per month, cost savings range from $1.6M/year to $2.8M/year, based on user adoption rates.

Given the rate of cost recovery, it makes sense to deploy a solution very quickly. In particular, once the decision to automate password problem resolution is made, every month of waiting time until the solution is deployed costs from $130k to $230k.

This rapid ROI is a strong motivation to purchase a pre-built solution, which can be deployed quickly (2-3 months), rather than developing a custom solution, which may take 6-18 months. The ROI lost during development of a program to compete with a commercial solution would more than offset the cost of the commercial product.


Password reset problems are a costly, recurring problem at most I.T. help desks, including customer support lines in an ISP.

Password reset problems are relatively simple to resolve using automation, where a user either dials into an IVR server with a telephone or accesses a self-service web site; identifies himself; authenticates himself; and resets his own passwords.

Password Manager is a mature password management system, which can scale to address the challenging technical and usability requirements of a large ISP.

Deployment of Password Manager in a large ISP with several hundreds of thousands of subscribers can yield cost savings on the order of $1M to $3M/year.

The bottom line is that effective password management technology can be deployed very quickly (2-3 months), and yield significant cost savings to an ISP, with time-to-ROI measured in months.