REDMOND, Wash., Feb. 1, 2005 — Resetting expired, forgotten or compromised passwords is a routine part of life for millions of information workers. It’s also a tedious, time-consuming process that complicates already busy schedules, cuts into worker productivity and costs companies millions of dollars per year.
Password resets are the second most common reason workers call help desks, accounting for about one in four help desk requests, according to the Gartner Group, an IT research company. At an average cost of US$22 per call, according to Gartner, that adds up fast, especially for large-scale enterprises and midsize organizations.
“We have heard from customers about the need for greater efficiencies in managing identities across their networks,” says James Mastan, director of marketing for Microsoft’s Speech Server product group. “A key component of managing identities is password management, and Microsoft is committed to developing solutions and tools to make it easier and more cost effective for network administrators.”
Case in point: Four Microsoft Speech Server industry partners — Intervoice, SOFTEL Communications, Gold Systems and Metaphor Solutions — are building voice-driven applications that enable users to reset their own password over the phone, thus cutting the cost per reset to the cost of a phone call, and freeing up IT staff to focus on higher-value projects. These interactive voice response (IVR) applications are built on Microsoft®
Speech Server 2004 — a flexible, cost-effective speech platform that combines Web technologies, speech-processing services and telephony capabilities into a single system.
“Resetting passwords through the Microsoft Speech Server is one of a number of great tools to help IT professionals automate and manage this key component of identity management,” Mastan says.
The four industry partners say the Microsoft Speech Server offers numerous advantages over competing platforms. “Over the last year, we have invested considerably more resources and effort in our Microsoft speech server offering because of the capabilities and ease of development of the platform,” says Corey Coblentz, network operations center manager at Norcross, Ga.-based SOFTEL Communications, which develops, deploys and optimizes multi-channel contact center solutions on various industry leading platforms. “The resulting solution is more robust, easier to develop, quicker to roll out and more cost-effective than solutions built on any other platform.”
In developing their password-reset solutions, the four speech partners used best practice “threat modeling” — a structured approach for identifying, evaluating and mitigating risks to system security. This was reviewed against security criteria provided by the Microsoft Security Business Unit specifically for password-reset solutions.
Microsoft chose to team up with the four partners because of their extensive experience in password-reset solutions, says Kyle Kim, senior manager of Microsoft’s Strategic Planning Emerging Servers group. “Telephone-based self-service is one of the most effective and efficient ways to address this pain point,” he says.
Password Resets — A Necessary Hassle?
Driving the need for frequent password changes are a variety of threats to IT security — from emerging network threats and hackers, to information theft by internal abusers and competitive espionage. It is also important to point out the obvious — if an employee is locked out of a machine or access to the corporate network, he or she cannot take advantage of a Web-based password-reset solution, leaving the telephone as the only viable method to deliver a solution.
But following the traditional telephony process to reset passwords often involves hassle for the user. After calling the help desk, a user must wait on the phone while an IT person pulls up software to authenticate the user and view his or her profile. The user keeps waiting while the IT person asks a series of questions before finally asking the user to choose a new password. And that’s if the IT person is immediately available to help.
The more complex the process, the more costs accrue. Many workers have to remember multiple passwords — by one estimate an average of eight to 14 each. Some help desks support hundreds of applications, and some applications have differing authentication policies, such as differing frequencies of required resets and differing complexities of passwords — for example, with an alphanumeric element and a symbol.
“These businesses are concerned that more users are forgetting passwords, more users are getting locked out of systems, and more users are overloading the IT help desk by resetting passwords,” says Steve Stolt, director of product development for Gold Systems, a Boulder, Colo.-based provider of software components and services to enable customer self-service systems incorporating interactive speech.
Now consider this comparatively painless scenario using an automated password-reset application: An enterprise worker on a business trip wants to check her e-mail from her hotel room, but she cannot access her account because she has forgotten the new password she received the day before. The worker uses her cell phone to call the voice-activated reset application. The call is answered immediately, and the application reads the cell phone number — the first of several steps to authenticate the caller’s identity.
Next, the application retrieves personal information about the worker — entered into a Web page upon enrollment — from a data store such as Microsoft Active Directory. It randomly selects two of four “smart” personal questions and prompts the worker to answer them for verification. If the worker is authenticated, the application then creates a new temporary password, performs the reset, reads back the password over the phone and gives the worker 10 minutes to use it. The worker hangs up, logs on and is immediately asked to change the password.
“It’s quick, it’s simple and it’s secure,” says Michael Kuperstein, CEO of Wellesley, Mass.-based Metaphor Solutions, which provides off-the-shelf speech recognition applications on the Microsoft Speech Server to automate personal and customer service by phone. “The user never needs to leave a voice-mail message for a busy IT person, and the service is available round the clock and from any location.”
Features of Password-Reset Solutions
At a high level, password-reset solutions often consist of three elements:
Enrollment. This can be done via a Web page that allows workers to input personal information such as user name, phone numbers and the answers to questions that can be used later for authentication purposes. The information is stored in a data store such as Microsoft Active Directory.
Phone calls made to the application.
Administration. This is the bridge that connects the speech application to the data store and includes functions such as logging, monitoring and reporting.
The password-reset offerings from Microsoft partners offer customizable levels of security beyond the standard secure protocols that protect all communications between servers and over networks. For example, some solutions include features that “learn” to block phone numbers perceived as a threat. For greater security, another option is speaker verification — the use of voice biometrics to authenticate the caller’s identity and so keep unauthorized users from accessing a system even if they have gained access to an employee’s personal information.
Some password-reset solutions, including the offering from SOFTEL Communications, employ a challenge-response model for authentication. “But we have kept our architecture open to incorporating speaker verification and, to provide enhanced security, we may incorporate a hybrid of speaker verification and challenge-response,” Coblentz says.
The applications have a modular design that allows for adding or removing functionality without reworking the entire system, thereby allowing customers to adapt to new business requirements while preserving existing investments. Callers can be asked which password they want to reset — for example, “network password” or “e-mail password.” E-mail may be generated informing the user of the new password. If the reset fails, the call can be transferred to a representative. The applications also lend themselves to back-end integration with Active Directory and other host applications, data sources and security systems.
At the heart of this modular nature and high potential for customization is the fact that the solutions are based on Microsoft .NET, a set of software technologies for connecting information, people, systems and devices. Taking advantage of .NET enables a high level of software integration through the use of Web services — small, discrete, building-block applications that connect to each other as well as to other, larger applications over the Internet. “Microsoft .NET architecture allows a very easy deployment and integration of our password-reset solution into an enterprise,” says Kuperstein.
More Benefits of Password Reset Solutions
IVR applications have been used for many years in call centers to automate common customer interactions on the phone, such as making an inquiry on a bank account balance, paying a bill or purchasing a ticket. But these systems have typically been entirely separate from organizations’ Web systems.
Unifying telephony and Web infrastructures became a much easier and more cost-effective proposition for organizations with the launch in March 2004 of Microsoft Speech Server 2004 — the first single platform to combine Web technologies, speech-processing services and telephony capabilities.
Says Microsoft’s Mastan, “It delivered, for the first time, the true value of speech technology to enterprises such as reduced costs and increased return on investment (ROI), increased customer satisfaction, increased employee productivity, and it provides additional revenue generation opportunities.”
By the same token, password-reset solutions built on Microsoft Speech Server enjoy ease of integration with existing infrastructures, which means less customization, faster time to market and increased ROI for customers, both in direct savings stemming from automated resets and in indirect savings such as recovered productivity, partners say.
That’s especially true for the many enterprise IT organizations that have standardized their workflow environments on Microsoft .NET and Microsoft Windows Server System technologies. “It’s a clean method of integrating speech into your system using what you already have,” says Michael Segura, director of Microsoft strategy and products at Dallas, Texas-based Intervoice, which provides converged voice and data solutions. “It’s a really good fit.”
Furthermore, many of those organizations use products such as Microsoft Identity Integration Server and the Active Directory directory service to manage security. “That makes Microsoft Speech Server 2004 a logical choice because of its ability to easily integrate with the existing security infrastructures via .NET,” says Stolt.
Abundant Opportunities for Partners
The business case is equally clear for industry partners who develop solutions that take advantage of the growing installed base of .NET infrastructure, including ASP.NET — a Microsoft server-side Web technology used to create Web pages and Web services that is an integral part of Microsoft .NET. “It makes good sense,” Segura says.
Many more partner opportunities stem from the fact that Microsoft Speech Server 2004 builds upon the work of the open industry standard SALT specification. SALT is the only unified standard that addresses both telephony and multimodal access to information, applications and Web services from PCs, telephones, Tablet PCs and wireless personal digital assistants (PDAs). In multimodal applications, SALT enables speech input either as a standalone event or jointly with other interface options — such as speaking while pointing to the screen with a stylus, or using a keyboard, keypad or mouse.
For partners developing solutions on Microsoft Speech Server, the SALT technology is a big plus. “SALT has call control tags built in, which allows us to create a solution using a single markup language instead of getting bogged down with multiple markup languages,” Coblentz says.
The potential benefits to developers as the industry shifts toward a standards-based approach to developing speech-enabled applications include increased application portability, speech vendor interoperability and developer productivity. It’s also an environment that developers expect will offer greater support for development of multimodal applications — another plus for developers. “The Microsoft Speech Server offers a greater potential as a growth technology, particularly in terms of multimodality,” Coblentz says.
For Microsoft partners, password resets represent one of many opportunities. “This is only the beginning,” Kuperstein says of Metaphor Solution’s packaged password-reset application. “We have 21 more application packages to go that can be quickly added by the enterprise on the same speech platform.”
But the password-reset solution is a good place to start: “Password reset solutions are quite horizontal by nature,” says Coblentz. “Virtually all environments which employ a user ID/password login mechanism are suitable for this solution.”
Microsoft Speech Server 2004, part of the Windows Server System family of products, is available in Standard and Enterprise editions.
Intervoice Omvia Identifier
The Omvia Identifier is an advanced packaged speech application that employs state-of-the-art voice technologies to handle the process of resetting end-users passwords and personal identification numbers in an engaging yet efficient manner. Omvia Identifier creates an efficient, cost-effective way to meet the needs of clients who lose, forget or need to change their password or personal identification number. This ready-to-use software solution provides complete reset functionality, including caller log-in and identification, authentication, a flexible range of password reset options. Omvia Identifier also provides a voice user interface that can be easily customized to meet any industry or service requirement. Using this application, resets can be managed using numeric or voice inputs, with voice- or question-based verification, and integrated with Web-based applications or related databases. For more information contact: (972) 454-8000, Web: www.intervoice.com
To experience the Intervoice PIN and password reset demo, call: (866) TRY-INTV. Say “Voice Express.” Say “Omvia Identifier” and follow the prompts.
Metaphor Solutions Password Reset Application
The Password Reset speech application, by Metaphor Solutions, resets a user’s current password with a new password over the phone. When the application is first deployed, each user provides personal identification and authentication parameters in a secure enrollment process. Later, when users call the application, they are identified by their registered personal phone number and are authenticated by saying the right answers to personal questions posed by the virtual agent. Application features include easy integration into Microsoft network environments and Windows or Web-based enrollment of identification and authentication parameters. The application can be easily extended to include authentication using voice biometrics as well as extended to work in languages other than English. For more information contact Metaphor Solutions at: (866) 443-6040 and just say “sales,” Email: firstname.lastname@example.org , Web: http://metaphorsol.com
To experience the Metaphor Solutions Reset Speech Application demo, call (866) 209-2142. Say “1-2-3-4.” Say “Smith.”
Gold Systems Password Reset Solution
Gold Systems’ Password Reset is a voice-driven solution that automates the tedious and time-consuming process of resetting system passwords without tying up IT Staff. Both local and remote users can quickly and easily reset passwords with a simple phone call. Password Reset supports the full password reset lifecycle, beginning with enrollment and continuing through authentication, execution of the reset, confirmation and reporting. Perhaps most important, Gold Systems understands that giving the wrong person access to your proprietary systems could be devastating, so Password Reset is based on a comprehensive threat model. For added security, a speaker verification option is also available. Password Reset runs on Microsoft Speech Server 2004 and supports integration with Active Directory and other data sources. Customers may also engage Gold Systems for customization. For more information contact: (800) 988-7798 and ask for “Sales,” Email: email@example.com , Web: www.goldsys.com
SOFTEL’s Voice Activated PIN Reset Application
SOFTEL’s speech recognition application automates password resetting — freeing agents from this time-consuming burden and enabling them to focus on more critical challenges. The cost for password resets becomes no more than the cost of a telephone call. SOFTEL’s PIN Reset Application allows users to reset passwords from any telephone, anywhere at anytime; improves individual contact center agent productivity; performs as an agent-like service — without the associated costs; reduces user dependence on help desk resources; and accommodates emerging technologies; permits flexible implementation because of its modular design; includes customizable levels of security; and has full interoperability with SOFTEL’s suite of self-service applications. For more information contact: (877) 4-SOFTEL, firstname.lastname@example.org , Web: www.softel.com