Passwords - Automated Reset, Anyone? How about Microsoft's Kokanee?
Lost passwords are a chronic source of aggravation for network administrators. Single sign-on is only a partial solution. Instead, some organizations are turning to the surprising alternative of automated password reset, often using voice verification for user authentication. This trend looks likely to increase as Microsoft gets into the act with its .NET speech server, now in beta 2 under the code name Kokanee.
GMAC Commercial Mortgage and Union Pacific Railroad are two enterprises that have already implemented voice-enabled password reset systems, according to attendees at this week's SpeechTek show in New York City. Organizations in this category that were mentioned, but not named, included a big insurance company and a major US bank.
"Before we went to automated password reset, our IT department was getting about 300 phone calls a day from users who'd lost or forgotten their passwords," said Tom Gimpel, chief software architect, Global CIT Strategy, for GMAC Commercial Mortgage.
Giving out passwords to 'Mr. NT Administrator'
"Meanwhile, a lot of our end users didn't like giving out their passwords to 'Mr. NT Administrator,' anyway," Gimpel added.
Problems can increase dramatically when a user has multiple passwords or PINs, suggested Dr. Judith Markowitz, president of J. Markowitz Consultants. A BioTrust 2000 study showed that 80 percent of users with two or more passwords had lost at least one password over the past year. Over 50 percent of these users had lost or forgotten a password twice or more.
In enterprise situations, users often hold multiple passwords for various accounts. Single sign-on can help by reducing the number of passwords to one. At the same time, however, single sign-on can also be an expensive endeavor, calling for major changes to underlying infrastructure, experts say.
Some big enterprises already going automatic
In contrast, the emerging password reset systems at GMAC, Union Pacific and other organizations add telephony front ends to existing back-end data systems, according to proponents.
One division of "a large insurance company," for instance, has integrated password reset through voice verification with Netegrity Siteminder, for authentication, Remedy Action Request, for issuing trouble tickets, and LDAP directory, said Chuck Buffum, president and CEO of Vocent Solutions.
Also, a "large US bank" is trialing an application in which password reset is integrated with BMC Control/SA and Oracle. "This will lead to deployment with external customers, if successful," according to Buffum. "Password reset is a good first step."
"Password reset is a natural, because it utilizes back-end systems you already have," contended GMAC's Gimpel.
GMAC's first automated password system used IVR, rather than voice verification. Studies indicate, too, however, that about 30 percent of end users will hang up when asked by an IVR system to type in their PINs, attendees at SpeechTek were told.
In voice verification systems, end users are authenticated when their spoken utterances and matched to biometric voiceprints. The voiceprints can be stored either on a server or on smartcards.
In addition to a password reset system for 60,000 users, Union Pacific has also deployed a smaller voice system that "verifies callers before releasing rail calls," said Kevin Farrell, director of speaker verification development at SpeechSecure.
Meanwhile, GMAC has expanded upon password reset with a number of other voice-enabled applications. One of these applications allows some employees to report their hours over the phone, Gimpel said. GMAC is reselling some of its voice applications, as well.
The down sides
At this point, though, many administrators are still seeing a lot of down sides to voice verification.
Troy Koehn, director of systems engineering at West Corporation, said he is concerned over accuracy rates - expressed as both "false negatives" and "false positives" - as well as issues of user resistance and where to store "voluminous voiceprint files."
Vendors argued that accuracy is getting much better. The "large US bank," for example, has experienced a false rejection rate of less than 1% and a false acceptance rate of less than 0.2%, according to Buffum.
Many at the conference, though, advised using another form of authentication in conjunction with voice verification. Users might be asked to speak their mother's maiden name, or to utter the answer to a secret question, simultaneously combining "something they are" (a voiceprint) with "something they know."
Gimpel acknowledged that voice verification systems can be costly, too. Typically companies still must hire developers who are familiar with telephony programming languages, and people like this can be hard to find.
Microsoft's Kokanee a future driver?
Gimpel also predicted, though, that voice-enabled data applications will come to the fore after Microsoft comes out with its upcoming .NET speech server. GMAC is an early user under Microsoft's Kokanee beta program.
Dr. XD Huang, general manager of Microsoft's .NET Speech Technologies Group, said that Kokanee encompasses the speech server, along with a Microsoft developers' toolkit and a set of "lightweight extensions" for both Internet Explorer and PocketPC. Microsoft has been handing out Kokanee software this week to developers at the SpeechTek show.