Documentation Password Management Concepts Password Management for ISP Subscribers

Password Management for ISP Subscribers

Abstract

Internet Service Providers face a significant support cost due to users who forget their network connection or e-mail password. As ISPs scale to hundreds of thousands and millions of end customers, the cost to support repetitive problems such as password resets rises to significant levels, reaching millions of dollars annually. Given the significant cost, it is advantageous to invest in automation to eliminate recurring user support problems. Password reset is often the most common problem, and is arguably the easiest problem to address with self-service technologies.

Introduction

Internet Service Providers face a significant support cost due to users who forget their network connection or e-mail password.

As ISPs scale to hundreds of thousands and millions of end customers, the cost to support repetitive problems such as password resets rises to significant levels, reaching millions of dollars annually.

Given the significant cost, it is advantageous to invest in automation to eliminate recurring user support problems. Password reset is often the most common problem, and is arguably the easiest problem to address with self-service technologies.

The remainder of this paper is organized as follows:

• Password reset as a recurrent support call

  Background describing why password resets are a significant cost problem for large ISPs.

• The P-Synch® password management system

  A general description of the P-Synch password management system.

• Using P-Synch to reduce ISP call volume

  A specific description of how P-Synch is relevant to customer support in a large ISP.

• Deployment challenges and design choices

  Specific design and deployment problems raised in an ISP environment, with many users, large support volume, and little or no opportunity for user training.

• Architecture, scalability and integration

  A network architecture to leverage P-Synch for password management in an ISP environment.

• Projected ROI

  A cost recovery model for effective password management in an ISP environment.

• Conclusions

  Summary of the above discussion, and a call to action: deploy password management quickly in order to recoup maximum value.

Password reset as a recurrent support call

The problem

Consolidation in the ISP business is producing ISPs with large user populations -- ranging from hundreds of thousands to millions.

When ISP subscribers experience technical problems, they either access a subscriber service web site or call a support line. Problems that disrupt Internet access are clearly not amenable to resolution with a self-service site, and so drive support call volume.

One recurring problem that causes connectivity problems is a forgotten or mistyped password. Users who must type a current password to connect to the network may forget their password, and consequently be unable to connect. These users invariably call for service.

Even if password problems are relatively infrequent for a single user (e.g., occurring annually or even less often), as the user population scales the cost becomes significant. For example, an ISP help desk that resolves 30,000 password problem calls monthly, and where such calls only cost $10 to resolve, (note) will incur a total annual charge of $3,600,000 to service this problem.

Types of passwords

ISP subscribers generally have at least two types of passwords:

• Network connection passwords, used by dial-up, PPPoE and other client connectivity software to attach to the network.

• E-mail and other application passwords.

A single subscriber will often have multiple e-mail accounts attached to a single network access account.

Connection passwords are problematic because their impact is to prevent a user from connecting to the network. Users who forgot their connection passwords cannot access the ISP web site, and so cannot use a web-based self-service password reset system.

E-mail and other application passwords are easier to manage because users can access a self-service web application to address problems with them.

Initial vs. ongoing problems

Subscribers may have password problems during their initial network connection setup, or thereafter.

If the problem is during initial setup, no assumptions can be made about the configuration of the subscriber's workstation or about any agents installed on that computer.

If the problem occurs subsequent to initial, successful setup, then client software may have been made available on the subscriber's computer, and may be used to assist in an automated problem resolution process.

Cost model

(1)

The cost of password problems can be calculated using the following variables:

Variable	Units	Description
Pinitial	Number/month	Number of password problems per month that take place during initial subscriber setup.
Pongoing	Number/month	Number of password problems per month that affect already-setup subscribers.
Cinitial	$/problem	Cost of initial-setup password problems.
Congoing	$/problem	Cost of password problems affecting already-setup subscribers.
Cannual	$/year	Total cost of password problems per year.

 

C_annual = 12 x ( P_initial x C_initial + P_ongoing x C_ongoing )

For instance, consider an example ISP where:

Variable	Value
Pinitial	20000/month
Pongoing	10000/month
Cinitial	$20
Congoing	$10

 

C_annual = 12 x ( 20000 x 20 + 10000 x 10 ) = $6,000,000/year

The P-Synch password management system

P-Synch is the industry's leading password management solution. P-Synch helps organizations manage passwords and other forms of authentication more effectively to reduce IT support costs, increase productivity and enhance corporate security. P-Synch features include password synchronization, self-service reset, token management, biometric enrollment, certificate management and more.

P-Synch reduces the cost of password management using:

• Password synchronization, which reduces the incidence of password problems for users
• Self-service password reset, which empowers users to resolve their own problems rather than calling the help desk
• Streamlined help desk password reset, to expedite resolution of password problem calls

P-Synch strengthens security by providing:

• A strong, enterprise-wide password policy enforcement facility
• Effective user authentication, especially for self-service and assisted password resets
• Password synchronization, to help users remember, rather than write down, their passwords
• The ability to securely delegate the right to reset passwords to front-line support staff
• Accountability for password resets
• Encryption of all transmitted passwords

To find out more about P-Synch, visit http://P-Synch.com.

P-Synch can be used to reduce the volume of password problem calls that reach an ISP's support desk as follows:

• Initial problems:
  • Self-service password reset with a telephone

    When users dial the ISP's help desk line, the automated call director (ACD) system can drive their calls to a self-service password reset system.

    This system can prompt users to key in personal information, such as their account number, telephone number and any other personal identification that they provided when they first signed up for their account.

    Callers key in answers to these questions using a touch-tone telephone. Once authenticated, users are asked to confirm that they want a new password, and when they confirm, a random password is generated and read out to them. Users confirm that they have heard and either entered or written down their new password. Once confirmed, the new password is applied to the user's account (and in particular to the connection authentication system).

• Ongoing problems:
  • Password synchronization

    Users can be periodically prompted, by e-mail, to change their passwords. Users who get this e-mail can click on a URL embedded in their e-mail to do so. P-Synch presents users with a web GUI, where they authenticate with their current ID and password, and select a new password.

    New passwords can be applied to multiple IDs attached to the same subscriber's profile. Typically, the main subscriber would change both the connection and his/her own e-mail password, while subsidiary subscribers would only be able to change their own e-mail password.

    The ability to set multiple passwords to a single value is synchronization. Users who manage their multiple passwords in a routine, managed fashion tend to have fewer problems, and generate fewer calls.

  • Self-service password reset with a telephone

    The same process described above can be used to help already-setup users who forgot their connection password to reset it from any telephone.

  • Self-service password reset with a web browser

    Users who only forgot an e-mail password, and are already connected, can authenticate to the service either with their current password or with some non-password data, and can reset their own e-mail password.

    Users who have connected to the Internet, either directly or using a different computer (work, neighbor, etc.) can reset both connection and e-mail passwords after providing suitable non-password authentication.

The P-Synch service can enforce password policies over new passwords. It supports rules for length, composition, history, dictionary words, etc.

Users who forget their password, and wish to perform a self-service password reset, must provide some non-password authentication. This normally means that they must answer a sequence of personal or secret questions.

Data for non-password user authentication may be collected by P-Synch itself, or accessed on existing systems (e.g., subscriber billing system, subscriber account setup database, etc.). Where P-Synch is setup to collect new or supplementary authentication data, it generally prompts users to register by e-mail, and users respond by clicking on a URL embedded in their e-mail; entering their login ID and current password; and filling in blank answers on a Q&A form.

Deployment challenges and design choices

Providing password management in general, and self-service password reset in particular, is challenging in an ISP environment:

Scalability

A population of hundreds of thousands of users will generate tens of thousands of password resets per month. These problems normally occur during "prime time" for residential subscribers -- a 4 hour/day block in the evenings.

Consider an ISP that generates 30,000 password problems/month. Assume that half of these problems happen during a four hour peak period, on week-days:

RATE_peak = ( 30000 x [1]/[2] ) / ( 4 x 5 x 4 ) = 187/hour.

From this analysis, it is clear that a password management system must be able to handle at least hundreds, and perhaps thousands of subscriber login sessions per hour.

A password management system deployed by an ISP must also supports at least hundreds of thousands of users, each of which may have multiple login IDs on multiple managed systems (connection, e-mail, etc.).

Connectivity

Users who experience a password problem while not connected must either get service on a telephone or must use client software that automatically connects to the network with some special access, resolves the user's problem, and disconnects.

The diversity of subscriber workstation types (Windows 9x, Windows NT, Windows 2000, Windows XP, MacOS, Linux, etc.) , combined with the many types of dial-up software (built-in RAS, PPPoE dialers, etc.) make the implementation of a dial-fix-and-hangup client program very difficult.

A client-side dialer may be difficult to deploy, but client-side and possibly personalized instructions are appropriate. It is not unreasonable for software installed on the client software to include instructions about:

• How to identify a password problem, as opposed to a different connectivity problem. (e.g., symptoms, screen shots, explanations, etc.)
• How to resolve e-mail password problems on-line (including a URL to the system, ideally with the client ID already embedded).
• How to resolve dial-up or broadband connection/authentication password problems using a telephone (including phone number to dial, digits the user must press to navigate through the system, digits the user must press to identify himself, etc.).

These instructions may be personalized at installation time to refer to the subscriber's local support dial-up number, the subscriber's personal account number, etc.

User education

Any self-service problem resolution system targeted at a consumer population must be tolerant of subscribers who are not very computer literate. Consumer-oriented systems do not have the luxury of roll-out with a user education program.

As a result, a password management system for consumers should be extremely easy to use, intuitive, and require little or no explanation.

Integration

A password management system deployed at an ISP must obviously manage passwords on the ISP's authentication infrastructure. This typically means LDAP directories and RADIUS services from various vendors.

Architecture, scalability and integration

Scalability

(2) P-Synch has been deployed by very large corporations. Some anecdotal examples of large scalability include:

• Organizations with over 250,000 P-Synch users managing passwords on a single P-Synch instance, load balanced between just two servers.
• Users distributed over six continents.
• A single P-Synch instance, running on a single server, managing passwords on over 500 password systems.
• A customer who deployed 20 P-Synch servers, with real-time data replication between them, to allow users to access the system even in the face of network outages.

The P-Synch architectural features that support scalability include:

• The ability to install multiple instances per server.
• The ability of instances to span multiple servers, where each server in a group is functionally identical; supporting the same users, systems and features.
• A built-in, high-performance identity cache, which includes server-to-server data replication in real time.

  This engine has been benchmarked at millions of record updates per second on Windows/Intel servers. The database uses standard, open-format files (xBase/DBF) to ensure compatibility with existing reporting and analytical tools.

• Built-in services to monitor server health and dynamically update DNS records; for example to remove a malfunctioning server from load balancing rotation.

In addition, P-Synch incorporates many features that, while not directly performance-related, are required by large organizations:

• The ability to operate across firewalls: between the user and P-Synch, as well as between P-Synch and managed systems.
• Inclusion of a proxy service, which allows a P-Synch server in one location to manage passwords elsewhere, across slow and/or insecure WANs.
• Support for multiple user interfaces and UI languages per server instance.
• Auto-discovery of user IDs on managed systems, to eliminate ongoing manual administration and to minimize initial setup effort.
• The ability to support self-service password reset for users who forgot their initial NOS login password without having to deploy desktop software (secure kiosk account).
• Support for 21 user interface languages.

Proposed architecture

Following is a network architecture diagram for deployment of P-Synch in an ISP environment:

In the diagram:

• There are multiple, redundant, replicating and load-balancing P-Synch servers.
• An ACD directs incoming calls to one or more IVR servers which service password reset problems. The IVR servers present a voice interface, but otherwise access user authentication and password reset functions through P-Synch.
• P-Synch manages passwords on one or more target systems, which are most likely running vendor RADIUS implementations.
• P-Synch accesses authentication data about users on existing billing and subscriber information databases or directories.
• P-Synch can write open or closed tickets to a problem management system, as appropriate.

Integration with RADIUS servers

P-Synch can manage passwords on many types of systems, including:

• Unix passwords, in passwd, shadow, NIS, NIS+ or Kerberos formats.
• Passwords on any standards-compliant LDAP directory (Sun/iPlanet, Novell/eDirectory, IBM/Tivoli, OpenLDAP, Critical Path, etc.).
• Passwords on Windows NT or Windows 2000 AD domains.
• Connect passwords to databases such as Oracle.
• Passwords maintained in an application table on a DBMS such as Oracle.

Projected ROI

(3)

Cost recovery model

The return on investment (ROI) for an ISP deploying P-Synch is entirely due to call redirection and avoidance. In turn, these figures depend heavily on user adoption rates.

Extending the cost model in (1), we define two new variables to model user adoption rates:

Variable	Units	Description
Ainitial	fraction	User adoption rate for self-service problem resolution on initial / setup problems.
Aongoing	fraction	User adoption rate for self-service problem resolution for already-setup subscribers.
Sannual	$/year	Projected annual cost savings.

 

S_annual = 12 x ( A_initial x P_initial x C_initial + A_ongoing x P_ongoing x C_ongoing )

Extending the example from (1), using very conservative user adoption rates:

Variable	Value
Ainitial	25%
Aongoing	35%

 

C_annual = 12 x ( 0.25 x 20000 x 20 + 0.35 x 10000 x 10 ) = $1,620,000/year

Clearly, this is a significant cost savings.

As user adoption rates escalate, cost savings increase. Continuing with the same examples, if user adoption rates can be increased:

Variable	Value
Ainitial	40%
Aongoing	75%

 

C_annual = 12 x ( 0.40 x 20000 x 20 + 0.75 x 10000 x 10 ) = $2,820,000/year

Rapid deployment: buy vs. build

As illustrated in both (1) and (3), the problem of password resets is a costly one for ISPs.

Cost savings from a password reset system are substantial -- in our example of an ISP that fields 30,000 password problems per month, cost savings range from $1.6M/year to $2.8M/year, based on user adoption rates.

Given the rate of cost recovery, it makes sense to deploy a solution very quickly. In particular, once the decision to automate password problem resolution is made, every month of waiting time until the solution is deployed costs from $130k to $230k.

This rapid ROI is a strong motivation to purchase a pre-built solution, which can be deployed quickly (2-3 months), rather than developing a custom solution, which may take 6-18 months. The ROI lost during development of a program to compete with a commercial solution would more than offset the cost of the commercial product.

Conclusions

Password reset problems are a costly, recurring problem at most I.T. help desks, including customer support lines in an ISP.

Password reset problems are relatively simple to resolve using automation, where a user either dials into an IVR server with a telephone or accesses a self-service web site; identifies himself; authenticates himself; and resets his own passwords.

P-Synch is a mature password management system, which can scale to address the challenging technical and usability requirements of a large ISP.

Deployment of P-Synch in a large ISP with several hundreds of thousands of subscribers can yield cost savings on the order of $1M to $3M/year.

The bottom line is that effective password management technology can be deployed very quickly (2-3 months), and yield significant cost savings to an ISP, with time-to-ROI measured in months.

© Hitachi ID Systems, Inc. 2008. All rights reserved.