Users who experience a login problem can dial an interactive voice response (IVR) system with any telephone and reset a forgotten or locked password or PIN, clear an intruder lockout or resolve a problem pre-boot or with a hardware token. There are several options for identifying callers, including touch-tone input of login IDs or speech-to text. Similarly, there are several options for authenticating callers, including touch-tone or text-to-speech input of answers to security questions, voice biometrics and input of a PIN sent via SMS to a user's mobile phone.

The call flow in an existing IVR system can be extended to handle this type of self-service, integrating with Hitachi ID Password Manager via its API to access user profiles and initiate self-service operations. Alternately, relevant calls can be rerouted to Hitachi ID Telephone Password Manager, which can handle the entire call flow itself. Telephone Password Manager is an included, self-contained IVR system designed for use with Password Manager.

Note that there are some types of problems that cannot (physically) be resolved via a phone call. In particular, an IVR system cannot update any locally cached passwords on the user's device. For users who forgot their locally cached OS login password and are off-site, a self-service mechanism launched from the OS login screen is required.

IVR design questions

When deploying a self-service system with a telephony user interface, some key design questions must be answered:

  1. How will users identify themselves?
  2. How will users authenticate themselves?
  3. Will users have the option to clear intruder lockouts separately from resetting passwords?
  4. Will users have the option to choose on which systems to reset passwords or will password synchronization be implicit?
  5. Will users have the ability to choose their own new password, or will one be randomly generated?

Password Manager can be configured in a variety of ways, to support different answers to each of the above questions. Following are suggestions for best practices, intended to streamline the IVR user experience without adversely impacting security:

  1. User identification:

    The simplest solution is to map users' network login IDs, which are alphanumeric, to their digit equivalents on user telephone keypads. In the few cases where multiple users have the same numeric version of their login ID, the IVR system can ask the user to choose the correct identifier.

    This approach is less costly and more reliable than speaker independent speech-to-text technologies.

    A viable alternative is to prompt users to type a well known personal numeric identifier, such as an employee number. The only caution with this alternative is to ensure that all users actually have and know their own identifier (e.g., obscure employee numbers, contractors without an employee number, etc.).

  2. User authentication:

    Robust authentication is the cornerstone of system security. The best practice is to invite users to enroll a biometric voice print sample (during general Password Manager enrollment, not as a separate project). The voice print on file can be matched against a fresh sample taken when a user needs service.

    A somewhat less expensive option is to invite users to enroll personal, numeric answers to security questions. Users may provide their driver's license number, date of birth, last-4-SSN, etc. at enrollment time and be prompted to key in the same data at authentication time.

  3. Clear lockout as a separate option:

    User interaction with a telephone is sequential and slow. This can make the process frustrating and it is therefore desirable to minimize interaction. For this reason, a separate feature to clear an intruder lockout -- which would add a navigation step -- is not recommended (but it is technically supported).

  4. One password or many:

    For the same reason as above, it makes sense to offer users a password reset on all systems, rather than one at a time. Resetting multiple passwords eliminates the need for users to specify which password they need reset.

  5. Password selection:

    Again, to limit user interaction, it is easier to have the IVR system generate a random password, enunciate it to the user and ask the user to accept it. This eliminates awkward manual input of password values using a telephone's keypad. When passwords are reset, they should be set to immediately expire in any case, so that users will have to choose their own, permanent password.

Using an existing IVR system

Password Manager includes a client library that can be installed on an existing systems, such as IVR platforms and other, third-party applications. This API allows native code on the external (example: IVR) system to:

  • Look up a user profile.
  • Retrieve a set of authentication questions for the user
    (typically these have numeric answers in IVR applications).
  • Validate answers entered by the user to their own question.
  • Request a randomly-generated password to offer the user.
  • Request a password reset for the user.

This library implements a secure remote procedure call to the Password Manager server, using an encrypted TCP socket based on a shared secret key.

The Password Manager application programming interface (API) includes a C-language binding for Windows (DLL) and Unix (shared object library for any flavor of Unix, including UnixWare as used by Lucent/Avaya products). It is also exposed as a SOAP web service and an ActiveX component.

Deploying Telephone Password Manager and rerouting calls

Overview:

Telephone Password Manager is a turn-key telephone user interface bundled with the Password Manager credential management solution. It enables organizations to quickly and inexpensively offer self-service password reset, PIN reset and encrypted drive unlock to users via a telephone call, without having to configure a complex IVR system.

Features:

Telephone Password Manager supports self-service management of login credentials and unlock of encrypted drives through:

  • Caller identification:

    Users who call Telephone Password Manager typically identify themselves by typing a personal identifier on a touch-tone telephone keypad. The identifier may be a pre-existing numeric ID, such as an employee number or a letters-to-digits mapping of an alpha-numeric ID, such as the user's network login ID.

  • Authentication:

    Once they have entered a claimed identity, users must prove that it's really them on the call. Telephone Password Manager supports authentication with a hardware token (e.g., RSA SecurID), by prompting the user to key in answers to numeric security questions on a touch-tone telephone keypad (e.g., driver's license number, SSN, date of birth, etc.), by sending a PIN to the user's mobile phone, which the user must key in, or by using an optional biometric voice verification module.

  • Password reset:

    Authenticated callers can initiate a password reset. This may be applied to one or all of their accounts and the new password may either be randomly generated and read out to the user or user-selected. New passwords may be set to expire after first use.

  • PIN reset:

    Authenticated callers can also use Telephone Password Manager to reset the PINs on their RSA SecurID tokens. A randomly-generated or a user-specified PIN may be used.

  • Encrypted drive unlock:

    Users with a drive encryption program protecting their computer can use Telephone Password Manager to automate the unlock process in the event that they forgot the password that they normally type pre-boot.

  • Text to speech:

    Telephone Password Manager is normally configured to play .WAV audio files as prompts for user input. It also includes a text to speech mechanism that makes it easier to develop new navigation menus and defer having to record new voice prompts.

  • Speech to text:

    While text input into Telephone Password Manager is usually made with a touch-tone keypad, Telephone Password Manager can be configured to recognize small dictionaries of spoken words, so that users can make alphanumeric input by speaking the names of letters and digits.

  • VoIP integration:

    Telephone Password Manager can be connected to a voice-over-IP network and configured to accept VoIP calls.

Benefits:

Telephone Password Manager lowers IT support costs and improves user service by enabling remote or locked out users to resolve login problems related to their password, hardware token or encrypted drive without calling the help desk.

Telephone Password Manager can improve the security of IT support processes by authenticating users with biometric voice-print verification prior to offering credential support services.