More robust mechanisms are needed to fortify systems security. While biometrics that read retinas, vein patterns and other funky body parts have been proposed to identify users, none show as much promise as voice biometrics, or speaker verification.
 
“Voice is more realistic than other biometrics,” says Judith Markowitz, a Chicago-based voice biometrics consultant. “You don’t need special readers for mass deployment.”
 
The quest for stronger security is gaining urgency. In the US, regulatory bodies are mandating two-factor security for financial transactions that combine something you have, such as a token or identifying biometric, with something you know, such as a password, says Markowitz. “Voice is inherently multi-factor if you have to say your password or account number.”
 
Recent implementations by major companies are soothing concerns about the technology’s accuracy and consumer acceptance. Last year, Bell Canada enrolled 600,000 customers to allow them to access call centre agents using their voices as passwords.

Aeroplan has also deployed speaker verification to allow its customers to access their frequent flyer accounts, and TD Waterhouse is in the middle of a big deployment, says Chuck Buffum, VP of authentication solutions at Burlington, MA-based Nuance Communications Ltd, a voice solutions provider.

“No one wants to be first to deploy new technology, so now organizations can be second,” he says.

Voice pitch
In the past three years, speaker verification technology has improved significantly, says Buffum. “It’s gotten good enough for prime time. You can get a spoken token from a voiceprint.”

Studies show speaker verification is more accurate than other biometrics except retinal scanning, he says. But it offers other practical advantages: there’s already a huge installed base of microphones in most computers and handheld devices, so no extra equipment is need to capture voiceprints.

Nor is any special user training needed, as is the case with fingerprint scanners where users need to learn how to roll their fingers across readers properly, he says. And user acceptance is high. According to an international survey conducted by Nuance, over 50 per cent of consumers said they viewed speaker verification as a competitive advantage.

Another major benefit is that speaker verification can be easily implemented as a two-factor security solution by combining voiceprint matches with a passphrases, he says. “Alone, it has a 95 per cent accuracy rate, but if a multi-factor security solution is used, it’s 99 percent.”

Although background noise may cause problems, most false rejections are due to cross-channel mis-matches, he explains. “If someone enrolled on a landline home phone, but then calls on a cell phone, the system may reject the user. The audio acoustics are different, and data gets mixed in with voiceprints.”

Since most users in fact enrol on their home phones, this has a certain security upside, he adds. “The odds of someone who knows your passphrase breaking into your house to use your phone to impersonate you are pretty low.”

Combating voice thieves
While these factors may appear to favour adoption of voice biometrics over other types, there are some impediments within the industry.

“No reliable third party testing has been done on more than two or three products, “says Markowitz, adding that even these were conducted in controlled laboratory conditions with landline phones.

“And a 99 per cent accuracy rate is not that great. It means one out of 100 fails, but that translates into thousands of rejections in high volume areas.” To avoid the wrath of legitimate users who may be rejected by these systems, implementers will still need a back-up system that reverts to PINs or other less secure means that can be used by wily hackers.

Users who are fed up of being forced to remember complicated passwords or account numbers aren’t entirely off the hook. “Some people’s names are too short to provide enough syllables and resonance from their vocal cords to get a good voiceprint,” she explains. Longer passphrases containing numbers or other words are needed to make them harder to spoof with tape recorders.

There are several methods to counter spoofing, says Siegy Adler, co-founder of NY-based VoxLock Technologies Inc, a voice security provider. One simple approach involves obtaining a range of voiceprints during the enrolment process by asking users to say a series of words or numbers. When they access the system later, users are prompted to repeat a randomly generated sequence which is compared to the voiceprints on file.

“So users don’t have to remember a complex phrase ”“ they just have to repeat what the system prompts them to say,” he says. “Even if a high-end tape recorder is used, it’s difficult for a hacker to know what random sequence the user will be asked to repeat later to access the system.”

He points out there aren’t any actual voice files floating around networks that can be intercepted, stolen or rouse privacy concerns. “You can’t hear a voiceprint ”“ it has to be converted to an audio file,” he says. “A voiceprint is a mathematical model. It’s a measurement of how the person sounds and the physical characteristics of their vocal tracts, and like fingerprints, no two are alike.” 

Applications new and old
Call centres are the most promising areas for speaker verification applications, but there are also some new ones emerging, says Buffum.

The killer app lies in next-generation mobile applications, particularly mobile banking, as something more secure than PINs and passwords is needed but people don’t want to be fumbling with token generators or other gadgets on the fly, he says. “Regulatory bodies recently approved the use of a voiceprint as a valid alternative to a signature. To do this, you need to certify the right person is using the phone or making the transaction, which may translate into a call back and a voiceprint match to validate it.”

Another new application is using the technology to automate password resets, which comprise about 30 percent of call volumes at IT help desks, he says. “Employees are enrolled into the system with voiceprints when they’re hired, and these are used to validate they are who they say they are if they call later to reset their passwords. About 40 corporations use it for this purpose, including Marriott Hotels and some big banks.”

He points out that speaker verification is not really new technology, as it’s been used in niche applications for about a decade. It was actually first used in Canada to manage telephone privileges in prisons. Law enforcement applications have since evolved, and today, many government agencies use the technology to track the movements of parolees, offenders under house arrest and people with temporary visas.

There are also some new niche applications in perimeter security at high-risk installations, says Adler. Speech verification combined with GPS is used in large government complexes, ports, and factories to ensure night guards are where they’re supposed to be when they make their rounds, and don’t have a friend covering for them.

“Organizations want to make sure guards aren’t in the office reading the paper when they should be out on their rounds by having them call in and identify themselves,” he says. “It sounds Big Brotherish, but the issue is that they’re relying on these individuals to secure the facility, they pay them based on hours, and there’s no one to verify where they are at night.”

While there are some specialized examples of Star Trek- type systems using voiceprints at entrances for access control, voice biometrics are unlikely to displace retinal scanners at high-security installations for this purpose, he adds. “If the system fails at night, there’s no one around to help you.”