Technology Integrations Telephony

Telephony Integration

Users who forgot their passwords can dial an IVR (interactive voice response) system with any telephone and initiate a password reset. Authentication using either touch-tone entry of personal secret information or using voice print verification is supported. Existing IVR (interactive voice response) systems can be extended using a P-Synch® remote API (application programming interface), or ID-Telephony® -- a turn-key IVR (interactive voice response) system specifically designed for password resets -- can be acquired from Hitachi ID.

Process using touch-tone authentication

Password reset using a telephone, with touch-tone caller authentication and a randomly-generated password (to minimize alpha-numeric input on a telephone) works as follows:

1. User: forgets password or triggers intruder lockout.

2. User: dials the support number, navigates to the "password problems" section.

3. ID-Telephony server: prompts the user to key in a personal ID, such as an employee number or a numeric mapping of the user's alphanumeric network login ID (e.g., smith01 maps to 7648401).

4. User: keys in the ID.

5. ID-Telephony server: connects to the P-Synch server.

6. P-Synch server: looks up the user's profile.

7. P-Synch server: selects random subset of the user's questions.

8. ID-Telephony server: prompts the user to answer the selected questions.

9. User: keys in (numeric) answers to the selected questions.

10. ID-Telephony server: forwards answers to the P-Synch server.

11. P-Synch server: compares answers to registered data.

    ... Repeat if failed, continue if success, possible lockout.

12. The process by which the user chooses a new password proceeds as follows:
    1. ID-Telephony server: asks P-Synch to generate a random password for this user.

    2. P-Synch server: provides a random, policy-compliant password string.

    3. ID-Telephony server: enunciates the password and asks the user to accept / retry.

    4. User: presses a digit to accept the password choice.

    5. ID-Telephony server: asks P-Synch to reset passwords for this user, on selected systems, to the requested password string.

    6. P-Synch server: attempts password reset immediately and possibly queues it up for retries.

    7. P-Synch server: may set the "password expired" flag on new passwords, so that the user will be forced to choose a new password at login time.

    8. P-Synch server: writes a ticket to a call tracking system.

    9. P-Synch server: sends the user a confirmation e-mail.

Process using biometrics

Password reset using a telephone, voice print caller authentication and a randomly-generated password (to minimize alpha-numeric input on a telephone) works as follows:

1. User: forgets password or triggers intruder lockout.

2. User: dials the support number, navigates to the "password problems" section.

3. ID-Telephony server: prompts the user to key in a personal ID, such as an employee number or a numeric mapping of the user's alphanumeric network login ID (e.g., smith01 maps to 7648401).

4. User: keys in the ID.

5. ID-Telephony server: connects to the P-Synch server.

6. P-Synch server: looks up the user's profile.

7. P-Synch server: selects random subset of the user's questions.

8. ID-Telephony server: prompts the user to answer some questions.

9. User: speaks answers into the telephone.

10. ID-Telephony server: compares answers to voice characteristics stored on file.

    ... Repeat if failed, continue if success, possible lockout.

11. The process by which the user chooses a new password proceeds as follows:
    1. ID-Telephony server: asks P-Synch to generate a random password for this user.

    2. P-Synch server: provides a random, policy-compliant password string.

    3. ID-Telephony server: enunciates the password and asks the user to accept / retry.

    4. User: presses a digit to accept the password choice.

    5. ID-Telephony server: asks P-Synch to reset passwords for this user, on selected systems, to the requested password string.

    6. P-Synch server: attempts password reset immediately and possibly queues it up for retries.

    7. P-Synch server: may set the "password expired" flag on new passwords, so that the user will be forced to choose a new password at login time.

    8. P-Synch server: writes a ticket to a call tracking system.

    9. P-Synch server: sends the user a confirmation e-mail.

Integration API

P-Synch includes a client library that can be installed on an existing systems, such as IVR platforms and other, third-party applications. This API allows native code on the external (example: IVR) system to:

• Look up a user profile.
• Retrieve a set of authentication questions for the user
  (typically these have numeric answers in IVR (interactive voice response) applications).
• Validate answers entered by the user to his own question.
• Request a randomly-generated password to offer the user.
• Request a password reset for the user.

This library implements a secure remote procedure call to the P-Synch server, using an encrypted TCP socket based on a shared secret key.

The P-Synch API (application programming interface) includes a C-language binding for Windows (DLL) and Unix (shared object library for any flavor of Unix, including UnixWare as used by Lucent/Avaya products). It is also exposed as a SOAP web service and an ActiveX component.

Turnkey solution

Overview:

ID-Telephony is a turn-key telephone user interface for the P-Synch password reset system. It enables organizations to quickly and inexpensively offer self-service password reset to users over a telephone, without making costly changes to existing telephone switching infrastructure.

ID-Telephony is appropriate for users who forgot or disabled their primary workstation login. It also enables mobile and work-at-home users to resolve connectivity issues without calling the help desk.

Features:

An organization's existing help desk ACD (automatic call distribution) system is configured to transfer phone calls relating to password reset, intruder lockout or RSA token management problems from the main help desk phone number to a turn-key ID-Telephony server.

When ID-Telephony receives a phone call, it prompts users to select a language, indicate the type of problem, authenticate themselves and resolve their own problem. ID-Telephony allows users to reset their own passwords on one or more systems, to clear intruder lockouts on one or more of their own accounts and to manage their own RSA SecurID token.

ID-Telephony authenticates callers using Q-A (Question-and-Answer) data stored in P-Synch user profiles or using a two-factor token (e.g., SecurID token or another hardware device). An optional biometric voice print verification engine is also available for ID-Telephony, enabling organizations to authenticate callers by comparing a prompted voice sample to characteristics of a user's voice, stored on file.

Caller authentication data used by ID-Telephony may be periodically imported into P-Synch from another system or may be collected in the course of a managed P-Synch user enrollment, with e-mail reminders to users followed up by users authenticating to a P-Synch web page with their network password and filling in their personal data. Voice print samples can also be enrolled using e-mail prompts to users and user authentication to the P-Synch web application, with a telephone used only for collecting voice samples from web-authenticated users.

ID-Telephony can be configured to support users who speak multiple languages, by recording multiple versions of each voice prompt.

The call flow implemented by ID-Telephony is fully customizable:

• The user interface can be uni-lingual or multi-lingual.
• Users may be identified by a numeric representation of their alpha-numeric network login ID, or by a numeric identifier such as an employee number.
• Callers may be required to reset all of their passwords, or allowed to choose a single password to reset.
• New passwords may be randomly generated by P-Synch, or entered by users using a touch-tone keypad.
• Users may be given the option to clear an intruder lockout without changing passwords or may always be required to reset passwords.
• New passwords may be pre-expired or may be usable until the normal expiration interval passes.

ID-Telephony can integrate with any existing telephony infrastructure. To match ID-Telephony to a given corporate PBX system, an appropriate Intel Dialogic telephony card is chosen. Dialogic cards are available for analog and digital phone systems and range from single-line to 32 phone lines per card. Dialogic cards may be sourced from Hitachi ID or from telephony hardware suppliers.

ID-Telephony may be installed on the same physical server as P-Synch or on its own Windows/Intel servers, with the addition of one or more Intel Dialogic telephony boards. Multiple ID-Telephony servers can integrate with multiple P-Synch servers.

ID-Telephony need not be co-located with P-Synch. Communication between ID-Telephony and P-Synch is carried by a single, encrypted TCP/IP socket. As a result, it is possible to deploy ID-Telephony servers in multiple locations and integrate them with a single cluster of P-Synch servers, securely connecting over WANs, the Internet and/or firewalls.

Benefits:

ID-Telephony enables mobile users, work-at-home users and users who have been locked out of their primary workstation login to resolve their own problem without calling the help desk.

ID-Telephony is an easy-to-deploy solution for telephone access to self-service password resets. In organizations that do not have a pre-existing IVR infrastructure, or in those where modifying IVR call logic is complex or expensive, ID-Telephony is an attractive alternative, as it requires only minimal changes to existing phone switching infrastructure.

© Hitachi ID Systems, Inc. 2008. All rights reserved.