Canadian Security Magazine

Security gets a new voice

Passwords and PINs are passé. Security experts agree these antiquated stalwarts provide weak security, and the time has come for new approaches now that mobile applications are gaining traction.

October 30, 2008
By Rosie Lombardi

More robust mechanisms are needed to fortify systems security. While
biometrics that read retinas, vein patterns and other funky body parts
have been proposed to identify users, none show as much promise as
voice biometrics, or speaker verification.
“Voice is more realistic than other biometrics,” says Judith Markowitz,
a Chicago-based voice biometrics consultant. “You don’t need special
readers for mass deployment.”
The quest for stronger security is gaining urgency. In the US,
regulatory bodies are mandating two-factor security for financial
transactions that combine something you have, such as a token or
identifying biometric, with something you know, such as a password,
says Markowitz. “Voice is inherently multi-factor if you have to say
your password or account number.”
Recent implementations by major companies are soothing concerns about
the technology’s accuracy and consumer acceptance. Last year, Bell
Canada enrolled 600,000 customers to allow them to access call centre
agents using their voices as passwords.

Aeroplan has also deployed speaker verification to allow its customers
to access their frequent flyer accounts, and TD Waterhouse is in the
middle of a big deployment, says Chuck Buffum, VP of authentication
solutions at Burlington, MA-based Nuance Communications Ltd, a voice
solutions provider.

“No one wants to be first to deploy new technology, so now organizations can be second,” he says.

Voice pitch
In the past three years, speaker verification technology has improved
significantly, says Buffum. “It’s gotten good enough for prime time.
You can get a spoken token from a voiceprint.”


Studies show speaker verification is more accurate than other
biometrics except retinal scanning, he says. But it offers other
practical advantages: there’s already a huge installed base of
microphones in most computers and handheld devices, so no extra
equipment is need to capture voiceprints.

Nor is any special user training needed, as is the case with
fingerprint scanners where users need to learn how to roll their
fingers across readers properly, he says. And user acceptance is high.
According to an international survey conducted by Nuance, over 50
per cent of consumers said they viewed speaker verification as a
competitive advantage.

Another major benefit is that speaker verification can be easily
implemented as a two-factor security solution by combining voiceprint
matches with a passphrases, he says. “Alone, it has a 95 per cent
accuracy rate, but if a multi-factor security solution is used, it’s 99

Although background noise may cause problems, most false rejections are
due to cross-channel mis-matches, he explains. “If someone enrolled on
a landline home phone, but then calls on a cell phone, the system may
reject the user. The audio acoustics are different, and data gets mixed
in with voiceprints.”

Since most users in fact enrol on their home phones, this has a certain
security upside, he adds. “The odds of someone who knows your
passphrase breaking into your house to use your phone to impersonate
you are pretty low.”

Combating voice thieves
While these factors may appear to favour adoption of voice biometrics
over other types, there are some impediments within the industry.

“No reliable third party testing has been done on more than two or
three products, “says Markowitz, adding that even these were conducted
in controlled laboratory conditions with landline phones.

“And a 99 per cent accuracy rate is not that great. It means one out of
100 fails, but that translates into thousands of rejections in high
volume areas.” To avoid the wrath of legitimate users who may be
rejected by these systems, implementers will still need a back-up
system that reverts to PINs or other less secure means that can be used
by wily hackers.

Users who are fed up of being forced to remember complicated passwords
or account numbers aren’t entirely off the hook. “Some people’s names
are too short to provide enough syllables and resonance from their
vocal cords to get a good voiceprint,” she explains. Longer passphrases
containing numbers or other words are needed to make them harder to
spoof with tape recorders.

There are several methods to counter spoofing, says Siegy Adler,
co-founder of NY-based VoxLock Technologies Inc, a voice security
provider. One simple approach involves obtaining a range of voiceprints
during the enrolment process by asking users to say a series of words
or numbers. When they access the system later, users are prompted to
repeat a randomly generated sequence which is compared to the
voiceprints on file.

“So users don’t have to remember a complex phrase ”“ they just have to
repeat what the system prompts them to say,” he says. “Even if a
high-end tape recorder is used, it’s difficult for a hacker to know
what random sequence the user will be asked to repeat later to access
the system.”

He points out there aren’t any actual voice files floating around
networks that can be intercepted, stolen or rouse privacy concerns.
“You can’t hear a voiceprint ”“ it has to be converted to an audio
file,” he says. “A voiceprint is a mathematical model. It’s a
measurement of how the person sounds and the physical characteristics
of their vocal tracts, and like fingerprints, no two are alike.” 

Applications new and old
Call centres are the most promising areas for speaker verification
applications, but there are also some new ones emerging, says Buffum.

The killer app lies in next-generation mobile applications,
particularly mobile banking, as something more secure than PINs and
passwords is needed but people don’t want to be fumbling with token
generators or other gadgets on the fly, he says. “Regulatory bodies
recently approved the use of a voiceprint as a valid alternative to a
signature. To do this, you need to certify the right person is using
the phone or making the transaction, which may translate into a call
back and a voiceprint match to validate it.”

Another new application is using the technology to automate password
resets, which comprise about 30 percent of call volumes at IT help
desks, he says. “Employees are enrolled into the system with
voiceprints when they’re hired, and these are used to validate they are
who they say they are if they call later to reset their passwords.
About 40 corporations use it for this purpose, including Marriott
Hotels and some big banks.”

He points out that speaker verification is not really new technology,
as it’s been used in niche applications for about a decade. It was
actually first used in Canada to manage telephone privileges in
prisons. Law enforcement applications have since evolved, and today,
many government agencies use the technology to track the movements of
parolees, offenders under house arrest and people with temporary visas.

There are also some new niche applications in perimeter security at
high-risk installations, says Adler. Speech verification combined with
GPS is used in large government complexes, ports, and factories to
ensure night guards are where they’re supposed to be when they make
their rounds, and don’t have a friend covering for them.

“Organizations want to make sure guards aren’t in the office reading
the paper when they should be out on their rounds by having them call
in and identify themselves,” he says. “It sounds Big Brotherish, but
the issue is that they’re relying on these individuals to secure the
facility, they pay them based on hours, and there’s no one to verify
where they are at night.”

While there are some specialized examples of Star Trek- type systems
using voiceprints at entrances for access control, voice biometrics are
unlikely to displace retinal scanners at high-security installations
for this purpose, he adds. “If the system fails at night, there’s no
one around to help you.”

Print this page


Leave a Reply

Your email address will not be published. Required fields are marked *