Passwords and PINs are passé. Security experts agree these antiquated stalwarts provide weak security and more robust mechanisms are needed to bolster them.
While biometrics reading various funky body parts ranging from retinas to vein patterns have been proposed to identify users, none show as much promise as voice biometrics, or speaker verification.
"Voice is more realistic than other biometrics," says Judith Markowitz, a Chicago-based independent consultant and thought leader. "You don't need special readers for mass deployment."
In the US, regulatory bodies are mandating two-factor security for financial transactions that combine something you have, such as a token or identifying biometric, with something you know, such as a password, says Markowitz. "Voice is inherently multi-factor if you have to say your password or account number."
In the past three years, speaker verification technology has improved significantly, says Chuck Buffum, VP of authentication solutions at Burlington, MA-based Nuance Communications Ltd, a voice solutions provider. "It's gotten good enough for prime time. You can get a spoken token from a voiceprint."
Recent implementations by major companies are soothing concerns about the technology's accuracy and consumer acceptance, he says. Last year, Bell Canada enrolled 600,000 customers to allow them to access call centre agents using their voices as passwords, as did Aeroplan to give its customers access to their frequent flyer accounts.
Studies show speaker verification is more accurate than other biometrics except retinal scanning, he says. But it offers other practical advantages: there's already a huge installed base of microphones in most computers and handheld devices, so no extra equipment is need to capture voiceprints.
Moreover, the accuracy of speaker verification is boosted when it's implemented as a two-factor security solution by combining a voiceprint match with a passphrase, he says. "Alone, it has a 95 per cent accuracy rate, but if a multi-factor solution is used, it's 99 per cent."
Although background noise may cause problems, most false rejections are due to cross-channel mismatches, he explains. "If someone enrolled on a landline home phone, but then calls on a cell phone, the system may reject the user. The audio acoustics are different, and data gets mixed in the voiceprint." Since most users in fact enrol on their home phones, this has a security upside. "The odds of someone who knows your passphrase breaking into your house to impersonate you are pretty low."
Speaker verification is not really new technology, as it's been used in niche applications for about a decade, he says. It was first used in Canada to manage telephone privileges in prisons. Today, the technology is used by law enforcement to track the movements of parolees, offenders under house arrest and people with temporary visas.
An emerging application is its use in high-security government installations by security guards rather than prisoners, says Markowitz. In the course of their rounds on foot or in vehicles to check the perimeter, the technology is used to ensure guards are who they say they are when they check in periodically.
Despite its promise, uptake of speaker verification technology by government entities is slow, as these are reluctant to implement new technology, says Dan Miller, founder of Opus Research, a San Francisco-based research consultancy. "But there's been significant spending on speaker verification on the forensic side by law enforcement to catch bad guys via wiretaps, and this may help subsidize more commercial uses."
Many issues within the industry need to be resolved to encourage government uptake, says Markowitz. "No reliable third party testing has been done on more than two or three products, "she says, adding that even these were conducted in controlled, laboratory conditions with landline phones.
"And a 99 per cent accuracy rate is not that great. It means one out of 100 fails, but that translates into thousands of rejections in high volume areas." To avoid the wrath of legitimate users who may be rejected by these systems, implementers will likely revert to PINs, passwords or other less secure back-up mechanisms that can be used by wily hackers.
While these are issues that will likely resolve over time as the technology and system design matures, the lack of common standards is a key show-stopper, she says. "With speech recognition, the voice XML standard is what opened the market and made it possible to integrate it in applications without being tied to proprietary systems. This revolutionized the IVR market, but we're not there yet with speaker verification."
As a consequence, the industry will likely grow by a modest third over the next couple of years, as lack of standards will inhibit uptake, she says. "Government entities won't do wide deployments, as they're mandated to use technology that has standards."
Rosie Lombardi is a Toronto-based freelance writer. She can be reached atrosie@rosie-lombardi.com.
Related content:
Ontario's privacy commissioner orchestrates voice biometrics integration
Encrypt biometric data, urges Ontario privacy czar
Israeli government looks at biometric technologies