Passwords are passé, say vendors in this space. Let your voice do the talking
It’s not uncommon to see people walking down a street chattering away over their smart phones through a Bluetooth connection — but they pull out the handset to type in a password for a sensitive Web site.
Increasingly, however, voice biometrics is being used by organizations for identity authentication to applications.
Your voice is, after all, as unique as your fingerprint, your retina or your face.
“This is a kind of tipping point for the technology in the commercial space,” says Tariq Habib, CEO of Toronto’s VoiceTrust.
Already the technology is used by some organizations to confirm the identity of a caller over the phone in the background while talking to a customer service agent.
But banks are also now using it in mobile apps allowing voice access and approval for transferring money and paying bills.
According to an executive of Nuance Communications, which makes voice biometric solutions, one Canadian bank will soon announce that capability for its retail customers.
Which is why some believe that voice may soon replace alphanumeric passwords as a common authentication method.
Why? Because passwords can be cracked either by guessing or a brute force attack.
A number of companies sell voice biometric solutions, two of which have a Canadian connection: Nuance, of Burlington, Mass., which has a large Montreal research and development centre; and VoiceTrust.
Others that sell voice biometric software or include it include it in solutions include Nice Systems of Israel; Verint Systems of Melville, N.Y.; VoiceVault Inc. of El Sagundo, Calif.; ValidSoft of Britain; Pindrop Security of Atlanta; and Agnitio Corp. of Madrid.
Most of these companies sell solutions – largely on premise but some in private clouds –tailored for financial industries and those needing to cut down fraud — phone companies, health care institutions and the like.
There are several types of solutions, all of which require end users to record a voice-print for later recognition: Those that are “text dependent,” meaning end users have to repeat approved words or phrases; and those that are “text-independent,” where end users can say anything.
Systems may be automated – that is, once identified the users has access to a limited number of options so a support agent isn’t needed. Good for password resets. Or they may run in the background, identifying the caller so the agent doesn’t have to ask for passwords, PINs, mother’s name, favourite pet …
But voice biometrics hasn’t made it yet into popular applications like email or even logging onto corporate networks.
One reason in the past has been cost. Another has been accuracy – some systems got confused if a user enrolls on a landline but tries to access via a cell phone. A third has been no one wanted to be first in the industry.
Vendors say these reasons no longer exist.
Brett Beranek, Montreal-based solutions marketing manager for Nuance – which makes
the Dragon Dictate PC speech recognition software and is behind Samsung’s S-voice smart phone voice assistant – won’t divulge the cost of a solution, except to say –“we’re not talking about systems that cost millions to deploy,” so the business case “is very sound.”
On the other hand Gartner analyst Avivah Litan says “you’ve got to have enough fraud or authentication issues to justify the expense.”
As for other objections, digital voice-prints can’t be impersonated, vendors say, and if stolen are worthless. Also, their systems have protections against people recording a victim’s voice and playing into the phone.
But even Beranke admits biometric systems aren’t infallible.
Daniel Tobok, managing director of Telus’s security consulting and forensics division, who believes voice biometrics is “an awesome, outstanding idea,” agrees.
Last year his department was part of a quiet investigation into the theft of data from an unnamed European financial institution whose systems were protected by requiring access by both fingerprint and smart card.
However, a crooked employee was able to hack into the identity servers and created legitimate profiles so colleagues on the outside could gain access.
It’s another example of how people, not technology, are usually the weak spots in security.
Gartner analyst Avivah Litan notes that voice biometrics has made great inroads into enterprises in the last two years, particularly in call centres. It’s best when combined with what she calls “phone-printing” — an application that verifies the source of an incoming call (a customer who lives in Vancouver should be calling from there, not from a small town in China, for example).
But she is one of those skeptical that voice biometrics will replace alphanumeric passwords, at least not for “many, many years.
“The jury’s still out,” she says.