Technology Integrations Telephony
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Telephony Integration

Users who forget their passwords can dial an IVR system with any telephone and initiate a password reset. Authentication using either touch-tone entry of personal secret information or using voice print verification is supported. Existing IVR systems can be extended using a Hitachi ID Password Manager remote API or Hitachi ID Telephone Password Manager -- a turn-key IVR system specifically designed for password resets.

Process using touch-tone authentication

Password reset using a telephone, with touch-tone caller authentication and a randomly-generated password (to minimize alpha-numeric input on a telephone) works as follows:

  1. User: forgets password or triggers intruder lockout.

  2. User: dials the support number, navigates to the "password problems" section.

  3. Telephone Password Manager server: asks the user to key in a personal ID, such as an employee number or a numeric mapping of the user's alphanumeric network login ID (e.g., smith01 maps to 7648401).

  4. User: keys in the ID.

  5. Telephone Password Manager server: connects to the Password Manager server.

  6. Password Manager server: looks up the user's profile.

  7. Password Manager server: selects random subset of the user's questions.

  8. Telephone Password Manager server: asks the user to answer the selected questions.

  9. User: keys in (numeric) answers to the selected questions.

  10. Telephone Password Manager server: forwards answers to the Password Manager server.

  11. Password Manager server: compares answers to registered data.

    ... Repeat if failed, continue if success, possible lockout.

  12. The process by which the user chooses a new password proceeds as follows:
    1. Telephone Password Manager server: asks Password Manager to generate a random password for this user.

    2. Password Manager server: provides a random, policy-compliant password string.

    3. Telephone Password Manager server: enunciates the password and asks the user to accept / retry.

    4. User: presses a digit to accept the password choice.

    5. Telephone Password Manager server: asks Password Manager to reset passwords for this user, on selected systems, to the requested password string.

    6. Password Manager server: attempts password reset immediately and possibly queues it up for retries.

    7. Password Manager server: may set the "password expired" flag on new passwords, so that the user will be forced to choose a new password at login time.

    8. Password Manager server: writes a ticket to an incident management system.

    9. Password Manager server: sends the user a confirmation e-mail.

Process using biometrics

Password reset using a telephone, voice print caller authentication and a randomly-generated password (to minimize alpha-numeric input on a telephone) works as follows:

  1. User: forgets password or triggers intruder lockout.

  2. User: dials the support number, navigates to the "password problems" section.

  3. Telephone Password Manager server: asks the user to key in a personal ID, such as an employee number or a numeric mapping of the user's alphanumeric network login ID (e.g., smith01 maps to 7648401).

  4. User: keys in the ID.

  5. Telephone Password Manager server: connects to the Password Manager server.

  6. Password Manager server: looks up the user's profile.

  7. Password Manager server: selects random subset of the user's questions.

  8. Telephone Password Manager server: asks the user to answer some questions.

  9. User: speaks answers into the telephone.

  10. Telephone Password Manager server: compares answers to voice characteristics stored on file.

    ... Repeat if failed, continue if success, possible lockout.

  11. The process by which the user chooses a new password proceeds as follows:
    1. Telephone Password Manager server: asks Password Manager to generate a random password for this user.

    2. Password Manager server: provides a random, policy-compliant password string.

    3. Telephone Password Manager server: enunciates the password and asks the user to accept / retry.

    4. User: presses a digit to accept the password choice.

    5. Telephone Password Manager server: asks Password Manager to reset passwords for this user, on selected systems, to the requested password string.

    6. Password Manager server: attempts password reset immediately and possibly queues it up for retries.

    7. Password Manager server: may set the "password expired" flag on new passwords, so that the user will be forced to choose a new password at login time.

    8. Password Manager server: writes a ticket to an incident management system.

    9. Password Manager server: sends the user a confirmation e-mail.

Integration API

Password Manager includes a client library that can be installed on an existing systems, such as IVR platforms and other, third-party applications. This API allows native code on the external (example: IVR) system to:

This library implements a secure remote procedure call to the Password Manager server, using an encrypted TCP socket based on a shared secret key.

The Password Manager API includes a C-language binding for Windows (DLL) and Unix (shared object library for any flavor of Unix, including UnixWare as used by Lucent/Avaya products). It is also exposed as a SOAP web service and an ActiveX component.


Turnkey solution

Overview:

Telephone Password Manager is a turn-key telephone user interface bundled with the Password Manager credential management solution. It enables organizations to quickly and inexpensively offer self-service password reset, PIN reset and disk unlock to users over a telephone, without having to configure a complex IVR system.

Features:

Telephone Password Manager supports self-service management of authentication factors (credentials) and recovery of disk encryption keys over a telephone with:

Benefits:

Telephone Password Manager lowers IT support costs and improves user service by enabling mobile, remote or locked out users to resolve problems with their password, hardware token or encrypted hard disk on their own, without calling the help desk.

Telephone Password Manager can improve the security of IT support processes by authenticating users with biometric voice-print verification prior to offering services such as password or PIN reset.

Installation Prerequisites

End user licenses of Password Manager 7.0 and later include the Telephone Password Manager module at no additional charge. Telephone Password Manager is a software solution which allows users to reset passwords and token PINs using a telephone.

To implement Telephone Password Manager, Hitachi ID Systems customers must provide:

  1. A Windows server where Telephone Password Manager will be installed. This can be the same server as the main Password Manager software or a similarly sized stand-alone server.

    Hardware configuration for this server is described at:

    http://Hitachi-ID.com/technology/server-hardware.html

  2. A Dialogic telephony board and/or software module suitable for the organization's PBX solution and sizing needs. This may be one of the following:

    1. Dialogic hardware for digital telephone systems, as described at:

      http://www.dialogic.com/products/tdm_boards/signaling/D42JCT-U_Boards.htm

      http://www.dialogic.com/products/tdm_boards/signaling/D82JCT_U_Boards.htm

    2. Dialogic hardware for analog telephone systems, as described at:

      http://www.dialogic.com/products/tdm_boards/media_processing/D120JCT_Boards.htm

    3. Dialogic software for Voice over IP (VoIP) phone systems, as described at

      http://www.dialogic.com/products/ip_enabled/hmp_software.htm

  3. At least a one-year support contract from Dialogic or its reseller(s) for the solution selected above, as described at:

    http://www.dialogic.com/products/services/default.htm

Note that it is Hitachi ID Systems' recommendation that customers select the VoIP HMP option if possible, as it is less expensive, easier to maintain and does not require any hardware.