Lost passwords are a chronic source of aggravation for network
administrators. Single sign-on is only a partial solution. Instead, some
organizations are turning to the surprising alternative of automated
password reset, often using voice verification for user authentication.
This trend looks likely to increase as Microsoft gets into the act with its
.NET speech server, now in beta 2 under the code name Kokanee.
GMAC Commercial Mortgage and Union Pacific Railroad are two enterprises
that have already implemented voice-enabled password reset systems,
according to attendees at this week’s SpeechTek show in New York City.
Organizations in this category that were mentioned, but not named, included
a big insurance company and a major US bank.
“Before we went to automated password reset, our IT department was getting
about 300 phone calls a day from users who’d lost or forgotten their
passwords,” said Tom Gimpel, chief software architect, Global CIT Strategy,
for GMAC Commercial Mortgage.
Giving out passwords to ‘Mr. NT Administrator’
“Meanwhile, a lot of our end users didn’t like giving out their passwords
to ‘Mr. NT Administrator,’ anyway,” Gimpel added.
Problems can increase dramatically when a user has multiple passwords or
PINs, suggested Dr. Judith Markowitz, president of J. Markowitz
Consultants. A BioTrust 2000 study showed that 80 percent of users with two
or more passwords had lost at least one password over the past year. Over
50 percent of these users had lost or forgotten a password twice or more.
In enterprise situations, users often hold multiple passwords for various
accounts. Single sign-on can help by reducing the number of passwords to
one. At the same time, however, single sign-on can also be an expensive
endeavor, calling for major changes to underlying infrastructure, experts
Some big enterprises already going automatic
In contrast, the emerging password reset systems at GMAC, Union Pacific and
other organizations add telephony front ends to existing back-end data
systems, according to proponents.
One division of “a large insurance company,” for instance, has integrated
password reset through voice verification with Netegrity Siteminder, for
authentication, Remedy Action Request, for issuing trouble tickets, and
LDAP directory, said Chuck Buffum, president and CEO of Vocent Solutions.
Also, a “large US bank” is trialing an application in which password reset
is integrated with BMC Control/SA and Oracle. “This will lead to deployment
with external customers, if successful,” according to Buffum. “Password
reset is a good first step.”
“Password reset is a natural, because it utilizes back-end systems you
already have,” contended GMAC’s Gimpel.
GMAC’s first automated password system used IVR, rather than voice
verification. Studies indicate, too, however, that about 30 percent of end
users will hang up when asked by an IVR system to type in their PINs,
attendees at SpeechTek were told.
In voice verification systems, end users are authenticated when their
spoken utterances and matched to biometric voiceprints. The voiceprints can
be stored either on a server or on smartcards.
In addition to a password reset system for 60,000 users, Union Pacific has
also deployed a smaller voice system that “verifies callers before
releasing rail calls,” said Kevin Farrell, director of speaker verification
development at SpeechSecure.
Meanwhile, GMAC has expanded upon password reset with a number of other
voice-enabled applications. One of these applications allows some employees
to report their hours over the phone, Gimpel said. GMAC is reselling some
of its voice applications, as well.
The down sides
At this point, though, many administrators are still seeing a lot of down
sides to voice verification.
Troy Koehn, director of systems engineering at West Corporation, said he is
concerned over accuracy rates – expressed as both “false negatives” and
“false positives” – as well as issues of user resistance and where to store
“voluminous voiceprint files.”
Vendors argued that accuracy is getting much better. The “large US bank,”
for example, has experienced a false rejection rate of less than 1% and a
false acceptance rate of less than 0.2%, according to Buffum.
Many at the conference, though, advised using another form of
authentication in conjunction with voice verification. Users might be asked
to speak their mother’s maiden name, or to utter the answer to a secret
question, simultaneously combining “something they are” (a voiceprint) with
“something they know.”
Gimpel acknowledged that voice verification systems can be costly, too.
Typically companies still must hire developers who are familiar with
telephony programming languages, and people like this can be hard to find.
Microsoft’s Kokanee a future driver?
Gimpel also predicted, though, that voice-enabled data applications will
come to the fore after Microsoft comes out with its upcoming .NET speech
server. GMAC is an early user under Microsoft’s Kokanee beta program.
Dr. XD Huang, general manager of Microsoft’s .NET Speech Technologies
Group, said that Kokanee encompasses the speech server, along with a
Microsoft developers’ toolkit and a set of “lightweight extensions” for
both Internet Explorer and PocketPC. Microsoft has been handing out Kokanee
software this week to developers at the SpeechTek show.