Forgot a password? Fix it yourself

Self-service identity management platform reduces help desk calls

With about 125 of its 600 employees spread acrross different time zones in the United States, computer password problems and lockouts were a common occurrences for the Treasury Department's Alcohol and Tobacco Tax and Trade Bureau.

'We don't run a 24-hour-a-day, seven-day-a-week help desk; we're open 7 a.m. to 8 p.m. Eastern Time,' said Mike Borland, assistant CIO of infrastructure for the bureau, also known as TTB. 'If you missed that window, you were basically out of luck until the next day if you locked yourself out of the network.'

To address this problem, bureau officials signed a contract with Avatier Corp. of San Ramon, Calif., for its suite of identity and access management tools.

The bureau started off with an Avatier Identity Management Server (AIMS) component called Password Station. Essentially, the software allows for self-service password management, said Nelson Cicchitto, Avatier chief executive officer.

Automatic access

'If a person forgets her password, instead of calling the help desk to have it reset by a human, she can reset it herself automatically and securely,' he said.

The tool is accessed via a Web browser and relies on a series of questions to verify users' identities when resetting their passwords.

When users register, they are asked several questions: What's your favorite food? What's the name of your favorite grade school teacher? Their answers are used for verification.

Password Station can reset and synchronize passwords across multiple applications and platforms. For example, it integrates with an AS400 mainframe system as well as Oracle and PeopleSoft applications.

The Avatier software resides on a Web server, and a Web client is installed on each client PC, said Kamran Khayami, a TTB network engineer who helped in the installation and integration of the tool.

Additional tools

Four other AIMS tools focus on other aspects of password administration:
  • Password Bouncer enforces password policy throughout an organization, preventing users from selecting easily cracked passwords, such as their kids' names.

  • Account Terminator lets IT staff in one action disable or delete employee accounts across multiple platforms by using an administrative Web browser that also provides a complete audit trail.

  • Account Creator lets an IT administrator create access accounts across multiple platforms and applications. It also enforces unique naming and password conventions and automates mailbox creation.

  • Account Requester, which is still in development, would let a user request access to, for example, data from the organization's accounting department. The tool goes out and finds the manager of that department, and requires approval from that person before granting access.

'It can also enable workflow processes such as ordering business cards or badges,' Cicchitto said of Account Requester.

For TTB, the real test of Avatier's tools was whether they could reduce help desk calls and solve users' problems when the help desk staff was unavailable.

In a recent month, Avatier handled 298 password-related issues, Cicchitto said. Of those, 172 were password resets that would have otherwise required help desk calls. Considering TTB employs 600 people, that's significant help desk avoidance for a single month.

The rest of the Avatier requests were regular password updates; TTB users must change passwords every 90 days.

Better network security

Because identity verification through the AIMS tool is regimented more strictly than it might be in a human-to-human phone call, Password Station also makes the network more secure, Cicchitto said.

'Obviously, passwords are what control access to all your critical applications and data, so the big benefit is that we can control when the password is being reset and by whom,' Cicchitto said. 'Ultimately, it's controlling who has access to the applications and the data.'

Avatier also has a telephone interface for Password Station that can be used when users don't have access to a Web browser or the organization's network. Using a personal identification number and prompts made over the phone, users can reset their passwords so they can log on later when they have computer access.

The tool also has a voice biometrics component that uses a digital voice ID to verify user identity.

AIMS runs on Microsoft Windows 2000 and 2003 Web servers. It uses Web services to communicate with other platforms such as mainframes or Unix machines. A secure communication layer ensures all the data is encrypted before it's moved.

'Everything is sent through as Hypertext Markup Language and as a Microsoft Excel spreadsheet to the ad-ministrators, letting them know how many password resets and account lockouts were avoided,' Cicchitto said.

TTB officials said the installation was straightforward.

'Customization and getting the phone piece working were probably the only parts we needed Avatier to help us with,' Khayami said.

AIMS benefits

For officials at TTB, installing AIMS has brought daily benefits to the organization.

'I look at the help desk tickets every day, and they are dramatically reduced,' Borland said.

'On any given week, probably less than 15 percent of our calls are password reset calls,' he said. 'It's been well accepted, especially in the field. Our field auditors have really embraced this.'

Doug Beizer is a staff writer for GCN's sister publication Washington Technology.

About the Author

Doug Beizer is a staff writer for Federal Computer Week.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above