Automating Password Resets

Ask many enterprise help desk managers about Monday mornings, and you’ll likely hear them complain about backlogs due to a spike in call volume from employees who need to reset forgotten or expired network passwords. If only there was a way to securely automate this necessary but time-consuming task. Voice-based authentication is increasingly cited as a viable option for verifying the identities of consumers dialing into call centers or interactive voice response systems (IVRs). While customer-facing deployments are perfectly suited for voiceprint-based solutions, internally-facing applications that reset passwords are gaining substantial traction because they automate a very real and expensive function. THE PASSWORD RESET PROBLEM As access to IT systems becomes increasingly critical in day-to-day business operations, access controls to each system grow in complexity. From basic e-mail and network access, to ERP, CRM and other emerging applications, the number of systems and applications which employees must access continues to mount. Each system requires certain credentials to gain access, typically a password. Because different systems can have varying password policies - length, construction and frequency of change - users must remember a myriad of passwords that are often forgotten or must be changed on an ongoing basis. When a password is forgotten, the natural reaction is to call the help desk and request a password reset. At many large enterprises, users often request password resets three to four times per year. Analysts estimate that the fullyloaded cost to manually reset a password can be $20 or more per reset. For a company with 25,000 employees, these harddollar costs can total millions of dollars per year, with additional soft-dollar costs related to lost employee productivity. Enterprises have struggled to develop processes for resetting passwords without compromising security. Hackers commonly use social engineering tactics with help desk agents to persuade them to reset an employee’s password, which they can then use to access critical IT infrastructure. According to Kevin Mitnick, a reformed hacker who is now a security consultant, “The most common ploy used by social engineers is to have another person’s account password reset or changed.” (Mitnick, K., “The Art of Deception”) Some of the methods used to offer employees self-service password reset capabilities include Web browser access, which uses challenge-response questions to authenticate users. In some organizations, especially where employees are used to calling the help desk to reset passwords, Web-based systems may fall short of automation goals simply due to the required change in user behavior. In addition, the use of challenge-response questions alone may not satisfy IT security requirements. Plus, in some instances users cannot access the Web-based system if they are locked out of the network itself, causing added difficulties. Touch-tone systems are sometimes considered for automating password resets. However, because touch-tone IVR systems are not speech driven, they are not always intuitive to use, driving users back to the help desk. The use of touch-tone entry also limits the variety of authentication questions that can be asked, potentially opening security holes and hampering ease of use. In addition to ensuring the system is easy to use, a password reset solution must be able to seamlessly integrate with the existing back-end infrastructure. If it cannot tie into the systems that require the greatest number of password resets, it will not be able to effectively solve the problem. LEVERAGING VOICEPRINTS TO SOLVE THE PASSWORD RESET PROBLEM Usability and security requirements have driven enterprises to begin deploying speech driven applications that leverage voiceprints to automate password resets. Using a speech-driven interface, combined with voiceprints for identity verification, provides an easy method for users to securely reset their own passwords. A well-designed voice user interface provides an easy way for users to reset multiple passwords on different systems. For example, “Which system password would you like to reset? You can say “NT,” “Lotus,” or “Mainframe.” Because there is little change in user behavior — users continue to use the telephone to reset passwords, much like they did when calling the help desk — automated rates are maximized. This is a key point in considering voiceprint-based solutions. Changing user behavior is an uphill battle. By deploying a telephone-based, speech-driven system to reset passwords, users are much more likely to utilize it. By maximizing the self-service automation rate, enterprises see an improved return on investment (ROI), with a 3-6 month payback typical on voiceprint-based password reset systems. In addition to an easy interface, using a voiceprint-based system makes it possible for users locked out of the network to reset their own passwords. This is also a huge benefit to remote or traveling workers, who can reset their password from any standard telephone. Automating password resets takes a significant burden off the enterprise help desk, thereby improving service metrics and allowing agents to be more productive, since they can use this time to provide other critical employee support functions. At the same time, employees benefit because they do not have to wait on hold for agents to become available to reset their passwords. Furthermore, voiceprints provide additional security benefits by using a biometric to verify the user’s identity. Since social engineering is a key attack point used by hackers - using voiceprints to verify employee identities closes this potentially dangerous security hole in a way that is more robust than challenge-response questions alone. KEYS TO A SUCCESSFUL AUTOMATED PASSWORD RESET DEPLOYMENT Designing and deploying a successful voiceprint-based password reset system from “scratch” is not as simple as writing a few dialogs, connecting it to the PBX and performing a little tuning. The complexities of the voiceprint technology, along with the challenges of connecting to existing back-end systems, require significant expertise in both speech technology and enterprise system integration. For this reason, a packaged password reset application has the advantage of incorporating a “tried-and-true” user interface, as well as system adapters for speeding the time to production. When considering both the security and automation requirements of the deployment, voiceprint technology alone may not be enough to satisfy both metrics. A system that can effectively use all available information, including the caller’s knowledge, voiceprint, as well as location via automatic number identification (ANI), results in the most accurate authentication decision, maximizing automation rates while minimizing security risk. Voiceprint technology is indeed effective for keeping out impostors; however, advanced multi-factor decision logic is necessary at the application level in order to minimize error rates while achieving a high automation rate in real-world situations. Back-end integration is another key success factor. The best speech technology in the world will not help if the system cannot effectively communicate with the target back-end systems. This is a widely overlooked but critical component of a password reset deployment. Scalable, seamless integration with identity management systems, directory services, logging and reporting tools, and other databases and applications is critical for leveraging previous investments in IT infrastructure. Building an effective user interface is a key component for users to successfully navigate the system, and not “zero-out” to a help desk agent. Customized prompts that use system names and terminology familiar to the organization are needed to clearly guide users to the desired system, especially in today’s multiple password, multiple system environments. The system must also be configurable enough to match the company’s business rules and security requirements. Every enter prise has different rules on how to handle passwords in different “states,” such as active, revoked, locked or disabled. In addition, many systems require unique password rules, e.g., 6-12 characters with at least one uppercase and lower alpha, four unique digits, and one non-alpha-numeric character. The password reset application must be able to handle these evolving requirements, and must be configurable enough to be changed if system, customer service requirements or security rules change. CONCLUSION As a growing number of enterprises investigate the benefits of voice-based authentication, many are using automated password reset as a first step. Deploying this application in the help desk immediately reduces call volume, enabling agents to focus on other trouble tickets that require more personalized attention. The ROI benefits alone justify an automated password reset application, with improved customer service and security benefits adding even more value. The help desk also provides a great proving ground for voice authentication and builds experience for subsequent deployments in the call center for outwardfacing applications. Expect to see a growing number of enterprises leverage voiceprint authentication to automate password reset functions in the coming months, and don’t be surprised if Monday mornings in the help desk appear a little more organized. Brian Phillips is a product marketing manager and Brian Eastley is a product manager for Vocent Solutions.