The identity management challenge

I often recommend, both in this newsletter and to clients, that a full-blown identity management project ought to begin with something that’s relatively easy to implement, relatively simple to roll out and affects a large number of people in a positive way.

Self-service password reset has been the No. 1 suggestion over the past year or so. It’s easy to demonstrate a positive effect on the bottom line because it has been shown, time and time again, to dramatically reduce the number of help desk personnel you need. We aren’t talking about the elusive .3 or .5 Full-Time-Equivalent (FTE), but real full-time personnel, perhaps one for every 1,000 network-users in the enterprise, but certainly one for every 5,000.

Courion CEO Chris Zannetos has also been preaching this mantra, so I quickly took him up on his offer to attend the company’s annual users’ conference last month. There I witnessed presentations by Courion customers detailing their experiences with both self-service password reset (using Courion’s PasswordCourier) and full-blown provisioning with Courion’s AccountCourier. It was an enjoyable and eye-opening experience.

The self-service presentation was put on by a large decentralized organization with 25,000 employees and 20-plus semi-autonomous sites. It was an ambitious project, which the customer approached with great care and had worked out all but one of the problems before rolling it out to the users. That problem was an unforeseen one that surprised the customer’s IT team, the folks at Courion and most of the attendees watching the presentation. The problem was getting users to enroll in the system.

The system involved Web browser-based reset using challenge questions (e.g., “What was your favorite subject in school?”) as well as an interactive voice recognition system. Passwords could be reset with either one, but the users did have to enroll by choosing the challenge questions (and supplying answers) and dialing into the voice system to provide a sample voice response.

Since it’s embarrassing to call the help desk and admit you’ve forgotten your password, everyone involved thought it might take at most three weeks for everyone to find the time to enroll. Yet, after five months only three out of every four users had signed up. This after a number of e-mail reminders that began as gentle nudges and ended as full-scale nags.

The company even offered incentives, such as gift certificates, hams, movie tickets, etc., fostered competition with prizes between sites and departments and even held “registration rallies” with pizza and music for mass enrollments. Why wouldn’t the end users take advantage of this supposedly no-brainer to roll out the project? Everyone had a theory, but they were all different. It wasn’t until a few days later that someone explained to me what the problem was.

The problem is the challenge questions, as was explained to me by the non-geek user I married 35-plus years ago. Questions that ask about some easily remembered personal information (mother’s maiden name, city born in, name of high school, favorite pet’s name, etc.) are also easily discovered by someone wishing to steal your identity. Questions and answers that are harder to hack are often also harder to remember. That means you could not only forget your password, but also the response to your challenge questions. While it might be a bit embarrassing to call the help desk and say you forgot your password, how much more embarrassing is it to say you forgot the response to the challenge? As I’ve learned and I hope you are learning, it’s not the technology that’s difficult, it’s the social engineering.