This document outlines how Hitachi ID Password Manager can be integrated with an Interactive Voice Response (IVR) system, to enable:
There are three basic sets of desirable functionality that may motivate an integration between Password Manager and an IVR system:
Allowing users who have experienced a password problem to access self-service from a telephone, and resolve their own problem, is advantageous for several reasons:
Since user authentication, password generation and password resets are all processed by the Password Manager server, the telephone password reset automatically benefits from Password Manager's auto-discovery process, user profiles, password policy engine, e-mail integration and call tracking system integration.
Users who sign into the network, or a remote access service, using a hardware token (most likely an RSA SecurID token) may experience problems and require service.
Possible SecurID token problems include users forgetting their PINs, losing their tokens, or users whose token clocks have drifted significantly away from the time reference on the ACE server.
These users may require service before accessing the network, so a telephony solution is desirable.
Organizations deploying a biometric voice print verification technology in their IVR infrastructure must acquire voice samples from the entire user population. Each voice print must be securely mapped to the particular user's user IDs in order to allow secure password reset.
Password Manager can facilitate an automated, reliable, secure and effective process to prompt users to register, authenticate users prior to registration, map users voice prints to their system IDs, and enable the IVR system to securely capture their voice prints.
As with any self-service technology, usability and marketing are key to success. Users must be made aware of the IVR system's new features, and should have an incentive to use it rather than accessing manual service.
The IVR system must be easy to use. This means:
Users must be made aware of the telephony integration. This means:
Users are identified on the network using alphanumeric login IDs. Since most IVR systems do not offer a reliable speech-to-text mechanism, they can only accept numeric input. This presents a challenge for a telephone password reset system: users must enter an alpha-numeric login ID, but the system can only accept a numeric ID.
In organizations where each network login ID is already associated with some unique numeric ID, the simple solution is to ask users to sign into the IVR system by keying in their numeric ID on the telephone touch pad.
Examples of such numeric ID include employee numbers, or home telephone numbers.
Alternately, if a user registration process will be used (e.g., to collect personal Q-A data for user authentication), then users may be asked to key in or select a new numeric personal identifier. An example might be the user's driver's license number. In this case, users will sign into the IVR with their new numeric ID.
In some cases, numeric IDs are not available. This may happen if there are no existing numeric IDs available for all users, or if what numeric IDs exist are not correlated to network login IDs, or if a registration process is undesirable.
In these cases, users may be asked to sign in by pressing the keys on their telephone marked with the letters and numbers of their network login ID. For example, the user smith01 would type 7648401.
Since the digit mapping of two different alpha-numeric login IDs may produce the same number (e.g., poguh01 also maps to 7648401), an IVR system that uses this technique must allow for number collisions, and ask the caller to select the correct ID when the entered number resolves to more than one alpha-numeric login ID.
Users who sign into an IVR system to access a secure function, such as a password reset, must not only identify themselves, but also prove their identity using a process which is appropriately hard to fool. In other words, the rate of false-positive user authentication must be acceptable.
For example, if users can access a self-service password reset, then the difficulty of fooling the IVR authentication process must be comparable to the difficulty of cracking a password.
A simple process to authenticate users is to ask them to answer one or more personal questions. Personal questions should have the following characteristics:
Examples of personal questions that a user may be able to answer with some expectation of privacy, without remembering anything new, include all or parts of the following numbers:
Since all of these may be acquired by a third party, it makes sense to use more than a single question, to randomize which questions are used for any given authentication session, and to lock out users who repeatedly fail to authenticate.
Using too few numeric Q-A pairs, or using data that is too easily acquired by an intruder, will have the effect of reducing password strength on the network. Biometric voice print verification is a stronger technology, and is described below.
A simpler, more secure, but more costly process for caller authentication is to capture a voice print sample from each user during a registration process, and to subsequently authenticate callers by asking them to speak one or more phrases, so that their new response can be compared to their registered sample.
Biometric voice print verification is commercially available, can yield effectively zero false-positive recognitions, and low false-negative failures (on the order of 1% to 2% of valid authentication attempts ending with a failure to recognize the speaker).
Biometric voice print verification requires that a voice print sample be collected in a secure manner from each user prior to the first instance where the user must access the system. Password Manager can drive this process, as described in [link].
The following are three example processes that illustrate how Password Manager and an IVR system can co-exist:
Password reset using a telephone, with touch-tone caller authentication and a randomly-generated password (to minimize alpha-numeric input on a telephone) works as follows:
... Repeat if failed, continue if success, possible lockout.
Password reset using a telephone, voice print caller authentication and a randomly-generated password (to minimize alpha-numeric input on a telephone) works as follows:
... Repeat if failed, continue if success, possible lockout.
Registration of user voice print data using the Password Manager web form and deployment infrastructure works as follows:
... repeat if authentication failed, lockout if too often.
... repeat above two steps for multiple samples.
Password Manager can be integrated with a telephony user interface in a number of ways:
Hitachi ID Systems offers two options to customers who wish to enable telephone access to Password Manager:
Turn-key system options are described in Section [link].
If an existing Automatic Call Direction (ACD) system is in place, then it must be configured to forward relevant calls to the Password Manager IVR system.
In this case, the call flow logic on the existing IVR system is modified to prompt the user for identification and authentication information. The IVR is programmed to verify user authentication by calling either:
Once the IVR has authenticated the user, it can make calls to the Password Manager server to request various password reset services.
Password Manager can be integrated with almost any existing IVR system, as described in [link].
The software required to integrate Password Manager with any existing IVR system is included at no additional charge. (Particular IVR systems may also require software extensions as available from the IVR vendor, eg. XML over HTTPS).
Hitachi ID Systems offers a turn-key IVR option, Telephone Password Manager, which uses touch-tone caller authentication, and leverages the Web-based Password Manager registration process to build user profiles for numeric Q-A authentication.
This solution is tightly integrated with Password Manager, using the secure API described in [link].
Note that Password Manager has an open interface specification, which allows other IVR biometric voice print authentication systems, such as Vocent, to leverage Password Manager for general enterprise password management.
Organizations with an existing IVR system may choose to continue to use an existing caller authentication process, or to strengthen it prior to activating self-service password reset.
The existing identification and authentication process may have to be replaced because it is not secure enough, and would weaken password security if it enables self-service password reset.
Password Manager exposes APIs suitable for use by an IVR system over a variety of communication channels. In each case, strong encryption makes it possible to securely locate the IVR system at a different site from the Password Manager server.
A web service allows IVR systems and other applications to remotely invoke methods on the Password Manager server, to perform functions such as user and account lookup, Q-A authentication, random password generation, and to initiate password resets or to clear intruder lockouts.
Remote applications normally access the web service over HTTPS for security, and must provide a 128-bit secret key to prove that they are authorized to use the API at all.
Organizations wishing an extra level of security may periodically change the authentication key, and limit the range of IP addresses that are permitted to access the API to just legitimate IVR systems or other applications.
IVR systems that support integration using web services include those from Intervoice and Nortel/Periphonics.
The same integration functions available through the web service ((_label_web-services)) are available in a Windows 32-bit DLL. This DLL communicates with a TCP/IP socket listener service on the Password Manager server, and the two end-points implement a secure communication protocol that includes mutual authentication, random session keys and 128-bit IDEA encryption.
Windows-based IVR systems, such as those from Apropos, can readily link against this DLL.
An ActiveX (COM) wrapper is provided for the Win32 DLL described in (_label_win32-api), to enable IVR systems that more readily integrate with ActiveX components to tie into Password Manager. Other than different calling / linking semantics, this is the same Win32 API as described earlier.
The same integration functions available through the web service ((_label_web-services)) are available in a Unix shared-object library. This library communicates with a TCP/IP socket listener service on the Password Manager server, and the two end-points implement a secure communication protocol that includes mutual authentication, random session keys and 128-bit IDEA encryption.
Unix-based IVR systems, such as those from Lucent / Avaya, can readily link against this shared object library. (A UnixWare binary is made available for this popular system).
A command-line wrapper that uses the Win32 DLL API is available, to enable integration from Windows-based IVR systems that cannot directly link to DLL libraries, but can invoke command-line programs.
A command-line wrapper that uses the Unix shared object is available, to enable integration from Unix-based IVR systems that cannot directly link to shared object libraries, but can invoke command-line programs.
The touch-tone-authenticated password reset process described in (_label_touch-tone-reset) is implemented by calling the following library functions, using any of the API variants described above:
Self-service password reset, self-service RSA SecurID token management and automated registration of biometric voice print samples can all be implemented by integrating Password Manager with an IVR system.
Password Manager licensees may choose to purchase a dedicated IVR system from Hitachi ID Systems, specifically for these applications, or to extend an existing IVR system to include new call logic. Integration is available for every kind of existing IVR system, through multiple language and platform bindings of a powerful Password Manager API.
User identification can be implemented using speech-to-text technology, or user input of unique numeric identifiers or numeric-mapped network login IDs.
User authentication can be implemented using either text prompts for personal information, followed by touch-tone input of responses, or using biometric voice print verification technology.
System integration for a telephony-enabled password management system can range from one or two days of effort to activate a turn-key, touch-tone enabled IVR system up to two or three weeks to extend an existing biometric system.