iBiometrics Library

Password Reset Application - Industry Overview   

The Password Reset Application is a popular telephony application which may use speech recognition and/or speaker recognition (voice biometrics).  The main function of the password reset application is to automate the helpdesk password reset capability, typically within an enterprise.  This automation is welcome by users and saves money for the organization that is financially responsible for performing the function.

The current landscape of password reset applications, include the following:   

• A speech recognition only implementation where a series of automated questions and correct responses are pre-registered, typically via a web-based application, previous to a password reset.  A user calls-in to a designated number to reset a password, identifies themselves with an ID, answers several questions and receives a temporary password.  Users log into the application using the temporary password and are prompted for a new password.
• A speaker recognition implementation which prompts the users for either a series of numbers, one or more passwords or pass phrases that they have enrolled upon via a telephone.  A user calls-in to a designated number to reset a password, identifies themselves with an ID, verifies their voice when prompted and receives a temporary password.  Users log into the application using the temporary password and are prompted for a new password.
• A web based system with call-back capability whereby the user has previously registered and enrolled their voice.  A user requests a password reset via the web, identifies themselves with an ID, and relays an authorized phone number.  The web-based system initiates a telephone call to the user, verifies the users voice via prompts using speaker recognition and issues a temporary password.
• Various combinations of the above implementations exist.  For example, a user may need to verify their voice and answer pre-registered questions.

Speaker Recognition and Channel Security Techniques

Password Reset applications can prompt for pre-registered questions or pass phrases in random order which prevents a playback attack on a voice channel.  The systems available over the past five years or more appear to utilize text dependent and optionally text prompted speaker verification (see speaker recognition fundamentals).  

The password reset application can relay the temporary password via a text-to-speech engine over the active voice channel or send it over a secure email channel.

Risk Assessment

Best Practices for all secure applications includes a risk assessment of potential threats.  Fortunately, several password reset vendors have used this excepted practice.  For example, Gold Systems web site references work done in conjunction with a third party security firm that was subsequently reviewed by Microsoft.  Their literature states that their speaker verification password reset product was built on a threat model that seeks to eliminate up to 40 known password security vulnerabilities.”  

In addition to Industry risk assessments, each organization should do their own.  One organization may assess few risks associated with speech automation of their current password reset application.  At the other end of the spectrum, another organization with higher risk factors may decide they need more security than in the past.  This organization may choose to implement a password reset application which incorporates challenge response speaker verification and a second authentication factor.

Biometrics and Speaker Recognition

There are many best practices associated with biometrics that apply across applications and organizations.  Today, documentation for biometrics Best Practices exists in a number of forms.  One is as part of established standards such as the X9.84 standard (see X.9 standards library link) which includes accepted procedures based on identified risks.  It goes as far as to map to ISO standard 17799.  The identified practices represent an effort valuable to other more specific standards/guidelines and implementations. 

More specific standards/guidelines for speaker recognition and associated applications still have a good amount of targeted ‘best practices’ work to do.  This effort is work in progress.  One organization developing best practices for speaker recognition is the VoiceXML forum.  (see VoiceXML biometrics organization link)  which is in the process of establishing Speaker Identification and Verification (SIV) requirements.  The VoiceXML forum, in conjunction with the W3C, is working to include SIV in the next version of VoiceXML to be used in conjunction with Media Resource Control Protocol (MRCP) which already supports speaker recognition. 

At a very high level, voice biometrics are dynamic and naturally fit within the fabric of a speech application such as password reset.  Telephony speech applications are typically centralized and utilize large speech recognition libraries to facilitate natural language processing.  Like other biometrics, speaker recognition models need to be protected.  A best practice is to encrypt the models on a centralized data base. 

There is no current information as to how the voice biometric is configured and maintained in the generally available literature associated with password reset applications.  While vendors tend to make general assertions of speaker recognition engine accuracy rates, more specific information needs to be obtained during the analysis and procurement process for each organization as it relates to their own implementation.   A best practice is to manage voice models for each application, such as password reset, which has its own set of requirements derived from an application risk assessment.

Enterpise security which includes policies and procedures as well as layered security are mandatory for the protection of voice models, recordings and logs.  Secure application development, based on the Security Development Life Cycle (SDLC), is critical to speaker recognition applications.