Telephony Integration

Users who forget their passwords can dial an IVR (interactive voice response) system with any telephone and initiate a password reset. Authentication using either touch-tone entry of personal secret information or using voice print verification is supported. Existing IVR systems can be extended using a Hitachi ID Password Manager (formerly P-Synch) remote API (application programming interface), or Hitachi ID Telephone Password Manager -- a turn-key IVR system specifically designed for password resets.

Process using touch-tone authentication

Password reset using a telephone, with touch-tone caller authentication and a randomly-generated password (to minimize alpha-numeric input on a telephone) works as follows:

User: forgets password or triggers intruder lockout.
User: dials the support number, navigates to the "password problems" section.
Telephone Password Manager server: prompts the user to key in a personal ID, such as an employee number or a numeric mapping of the user's alphanumeric network login ID (e.g., smith01 maps to 7648401).
User: keys in the ID.
Telephone Password Manager server: connects to the Password Manager server.
Password Manager server: looks up the user's profile.
Password Manager server: selects random subset of the user's questions.
Telephone Password Manager server: prompts the user to answer the selected questions.
User: keys in (numeric) answers to the selected questions.
Telephone Password Manager server: forwards answers to the Password Manager server.
Password Manager server: compares answers to registered data.
... Repeat if failed, continue if success, possible lockout.
The process by which the user chooses a new password proceeds as follows:
1. Telephone Password Manager server: asks Password Manager to generate a random password for this user.
2. Password Manager server: provides a random, policy-compliant password string.
3. Telephone Password Manager server: enunciates the password and asks the user to accept / retry.
4. User: presses a digit to accept the password choice.
5. Telephone Password Manager server: asks Password Manager to reset passwords for this user, on selected systems, to the requested password string.
6. Password Manager server: attempts password reset immediately and possibly queues it up for retries.
7. Password Manager server: may set the "password expired" flag on new passwords, so that the user will be forced to choose a new password at login time.
8. Password Manager server: writes a ticket to an incident management system.
9. Password Manager server: sends the user a confirmation e-mail.

Process using biometrics

Password reset using a telephone, voice print caller authentication and a randomly-generated password (to minimize alpha-numeric input on a telephone) works as follows:

User: forgets password or triggers intruder lockout.
User: dials the support number, navigates to the "password problems" section.
Telephone Password Manager server: prompts the user to key in a personal ID, such as an employee number or a numeric mapping of the user's alphanumeric network login ID (e.g., smith01 maps to 7648401).
User: keys in the ID.
Telephone Password Manager server: connects to the Password Manager server.
Password Manager server: looks up the user's profile.
Password Manager server: selects random subset of the user's questions.
Telephone Password Manager server: prompts the user to answer some questions.
User: speaks answers into the telephone.
Telephone Password Manager server: compares answers to voice characteristics stored on file.
... Repeat if failed, continue if success, possible lockout.
The process by which the user chooses a new password proceeds as follows:
1. Telephone Password Manager server: asks Password Manager to generate a random password for this user.
2. Password Manager server: provides a random, policy-compliant password string.
3. Telephone Password Manager server: enunciates the password and asks the user to accept / retry.
4. User: presses a digit to accept the password choice.
5. Telephone Password Manager server: asks Password Manager to reset passwords for this user, on selected systems, to the requested password string.
6. Password Manager server: attempts password reset immediately and possibly queues it up for retries.
7. Password Manager server: may set the "password expired" flag on new passwords, so that the user will be forced to choose a new password at login time.
8. Password Manager server: writes a ticket to an incident management system.
9. Password Manager server: sends the user a confirmation e-mail.

Integration API

Password Manager includes a client library that can be installed on an existing systems, such as IVR platforms and other, third-party applications. This API allows native code on the external (example: IVR) system to:

Look up a user profile.
Retrieve a set of authentication questions for the user
(typically these have numeric answers in IVR applications).
Validate answers entered by the user to his own question.
Request a randomly-generated password to offer the user.
Request a password reset for the user.

This library implements a secure remote procedure call to the Password Manager server, using an encrypted TCP socket based on a shared secret key.

The Password Manager API includes a C-language binding for Windows (DLL) and Unix (shared object library for any flavor of Unix, including UnixWare as used by Lucent/Avaya products). It is also exposed as a SOAP web service and an ActiveX component.

Turnkey solution

Overview:

Telephone Password Manager is a turn-key telephone user interface for the Password Manager authentication management solution. It enables organizations to quickly and inexpensively offer self-service password reset, PIN reset and disk unlock to users over a telephone, without having to configure a complex IVR system.

Features:

Telephone Password Manager supports self-service management of authentication factors and recovery of disk encryption keys over a telephone with:

User identification:
Users who call Telephone Password Manager typically identify themselves by typing a personal identifier on a touch-tone telephone keypad. The identifier may be a pre-existing numerical ID, such as an employee number, or a letters-to-digits mapping of an alpha-numeric ID, such as the user's network login ID.
User authentication:
Once identified, users must be authenticated. Telephone Password Manager supports authentication with a hardware token (e.g., RSA SecurID), by asking the user to key in answers to numeric security questions using a touch-tone telephone keypad on their phone (e.g., driver's license number, SSN, date of birth, etc.) or using an optional biometric voice verification module.
Password reset:
Once authenticated, users can initiate a password reset. This may be for one or all of their passwords and the new password may either be randomly generated and read out to the user or user-specified. New passwords may be set to expire after first use.
PIN reset:
Authenticated users can also use Telephone Password Manager to reset the PINs on their RSA SecurID tokens. A randomly-generated or a user-specified PIN may be used.
Disk unlock:
Users with a full disk encryption program protecting their computer can use Telephone Password Manager to automate the key recovery process in the event that they forgot the password that unlocks their computer.
Text to speech:
Telephone Password Manager is normally configured to play .WAV audio files as prompts for user input. It also includes a text to speech mechanism that makes it easier to develop new navigation menus and defer new voice recordings.
Speech to text:
While text input into Telephone Password Manager is usually made with a touch-tone keypad, Telephone Password Manager can be configured to recognize small dictionaries of spoken words, so that users can make alphanumeric input by speaking the names of letters and digits.
PBX integration:
Telephone Password Manager can be directly integrated into an existing PBX system, by installing the appropriate (to that PBX system) Dialogic telephony board on each Telephone Password Manager server.
VoIP integration:
Telephone Password Manager can also be connected to a voice-over-IP network and configured to accept VoIP calls.

Benefits:

Telephone Password Manager lowers IT support costs and improves user service by enabling mobile, remote or locked out users to resolve problems with their password, hardware token or encrypted hard disk on their own, without calling the help desk.

Telephone Password Manager can improve the security of IT support processes by authenticating users with biometric voice-print verification prior to offering services such as password or PIN reset.