I hadn't heard much about biometric authentication in a while, but an email pitch arrived this week from Nuance Communications Inc. (Nasdaq: NUAN), pushing a "spoken token," which the vendor went on to claim is "arguably the most accurate, convenient and cost-effective way to authenticate a person's identity." Arguably? OK, let's argue.
As it turns out, there's not a lot of, uhh, fresh wind in the argument about the use, cost, and reliability of biometric technologies in security. The high number of false positives remains the biggest hurdle with facial recognition technology, for example; retinal scans and fingerprint recognition start to get a little too personal; these solutions also tend to excite privacy advocates prone to howling at every cloud that passes over.
Biometrics' challenge isn't just technical... There's also some weird sociology at work here that I suspect will continue to inhibit widespread uptake.
Voice biometrics has its own unique challenges, according to Lisa Meyer. "Voice biometrics uses the pitch, tone, and rhythm of speech," she wrote in a white paper for The SANS Institute . "Background noise, illness, age, and differences in telephones and microphones can cause problems with voice identification and authorization."
Meyer also points out some distinct advantages where this form of biometric authentication is concerned: It's easy to use, isn't as invasive as, say, a retinal scan, is relatively low cost, and allows a user to enroll/use the authentication remotely (i.e., you can't "call in" to a retinal scanner, though I bet someone's working on this too). Meyer says voice biometrics would also work well as part of a dual-authentication system where security requirements are more demanding -- entry to Fort Knox, say, as opposed to accessing the company's time-off system.
Here's why I'd like to see this technology work out its rough edges: simplicity. No token-generating fob to lug along (or lose). No Post-It memory aid required. And I always carry my voice with me when I travel.
Companies like ABN Amro, Bell Canada, National Australia Bank, and TD Waterhouse have flirted with voice biometrics as a means for authenticating customers for trades, transfers, and other transactions. If it can be made to work, the cost savings are phenomenally large (and yes, that's a big if). As has been well documented, it costs enterprises anywhere from $12-$15 per incoming call if the customer has to actually speak to a live human being; automated voice response can reduce that to well under $1 ("Press '2' to tell us how much you love our new voice authentication").
The vendor pitching the "spoken token" story latches on to another hook: Voice biometrics can be a good weapon in combating consumer fraud, which last year reportedly cost business and consumers $1.2 billion. While I'm certain everyone would like to reduce fraud and bad debt, the smarter tack here to my mind is the emphasis on simplicity. Call up, press "1" to speak your pass-phrase, enter a keypad PIN, then proceed with your confidential transaction.
Vendors aren't likely to find much argument there.
This blog is part of Internet Evolution's Security Clan, which examines the future of Internet security and the changing nature of risks and vulnerabilities. to join the Security Clan and for a chance at all kinds of free stuff.Register here
RE: “…fingerprint recognition start to get a little too personal.” Not really. I had an experience playing with some Tablet PCs for a small project. The fingerprint biometrics worked well. It was funny (kind of) to see some of the corporate executives squirm when we suggested ACTUALLY using the built in fingerprint biometrics for the Tablet PCs. None of them liked that idea, too easy I guess (fear of the harmless digital “representation” of their fingerprints I guess). Like we’d EVER send their fingerprint files off to the BBI (Big Brother Institute) to blackmail them later (there is no BBI…really…trust me). But of course, they’d rather complain about all the passwords they have to remember, and then having to slowly enter in the passwords on the Tablet with its stylus. The bad thing was that the account setup needed to be done at the Tablet; ON site with that particular persons fingerprint (a remote set up option might have been able to be done which then involved 3 people, instead of just two).
Voice Biometrics actually working? Hmmm sounds like waaay off, distant, future-ish-ness kinda shtuff. It seems like the voice activated technology out there now seems rather primitive (ME: I SAID Golfer! NOT GOPHER!Digital Lady in the machine: “I’m sorry, I couldn’t understand you. Could you please REPEAT that?”) Hmm, I could see the thieves bugging your phone, office or meeting you in person at the hotdog stand secretly recording your voice w/ a hidden device, in order to clean your accounts out later. Nah…they wouldn’t do that.
While I agree that many organizations are "flirting" with voice biometrics technology, Bell Canada is not one of them.
The deployment at Bell Canada where a simple spoken phrase replaces a set of manual authentication questions has proved that this technology is ready for prime time. More than 1.9M Bell customers opt-in for this service and enrolled their voiceprints. With millions of successful verifications and enrolment rate exceeding 100K new voiceprints each month, this is no longer science fiction.
Yes, the technology is not bullet proof and its accuracy depends on many factors. Nevertheless its verification success rate is much higher than PINs. If you talk to banks and other service providers that rely on PINs you'd realize that 20%-30% of people calling in do not remember them or have them handy.
State of the art voice biometrics technology is much more accurate and less susceptible to background noise than Speech Recognition. While Speech Recognition aims to recognize words out of a given grammar that may contain hundreds and thousands of words, voice biometrics technology rates how much a given voice sample matches a specific enrolled voiceprint.
As for recordings, there are several ways to address recording threats (Interception / Vishing=Voice Phishing). These include random prompting, liveness detection and other more sophisticated and proprietary ways.
Well, technically installing card readers over legitimate readers, mini-cams at ATMs, and simple over-the-shoulder reading sounds like its out of a spy movie too, right?
Depending on the sophistication of the system, a simple recording done via consumer electronics like a cell phone could do the trick. After all, the system has to compensate for noise. And if it can't, then it really limits its use.
I can just imagine something like this in a cubicle environment. The 15 minutes just before and just after start time will be constant noise of people trying to convince their machine they are who they say they are. Not to mention someone who wants to login while on the plane or in a library. Home users connecting to their banks? Maybe, but make sure your windows are closed so your neighbor doesn't overhear you yelling your password at your computer.
It could be spoofed via recording. But wouldn't the spoofer need to obtain the essential parts of the authenticators voice in order to create the spoof recording?
Sounds like a scene from a spy movie. Not saying it couldn't be done.
I agree that your eyes should be with you at all times, and they are not as influenced by the common cold. What about retinal surgery?
My credit card and telephone companies use voice recognition for customer service, and I truly despise it. Perhaps it's because the system was populated with voice-over responses by a person whose voice I can't stand. I'm sure she's a very nice individual in person, but there's a small twist she gives at the end of every word or phrase that I find very tough to listen to.
In addition, the system gets many of my responses wrong, so it needs to query again and again: "Sorry, I didn't get that...."
If this is what voice authentication is about, I really have to grin and bear it.
I've also used retinal identification at the airport, and found it equally chancy. In fact, it took me twice as long to go through a frequent flyer customs program than it would have simply to go through customs.
My question is, do these systems really give us better security than other forms of authentication?
The big "If" about voice recognition systems is that they might save money but they are almost never designed well and they never earn any loyalty. "You'll always reach a competant human being" could be a selling point these days.
Additionally, I could see how the voice system could be spoofed via recording. The local newspaper's online edition actually has a feature were you can call in with comments, and recording becomes part of a podcast with responses from the editor.
Besides, a bad cold and your voice isn't as useful as it used to be. At least with a retinal or fingerprint scan it's much harder to spoof. I carry my fingers and eyes with me, and they're not changed by any common diseases.
and it is necessary to make sure that you are who you say you are when you log on
but that is not the end-all for security: that is where the issue begins
once you log on we must insure that
your computer is doing what you think it is
that you are talking to who you think you are talking to
In the first place we have to be sure you are not carrying any RATS: remote access trojans. the RAT waits for you to log on and then uses your computer and your credentials to conduct --- a little extra business, possibly.
in the second case we have to make sure that your connection has not been re-directed. you might think you are buying a monitor from Amazon when actually you bought the wreck of the Luisitania from the Russian Business Network and signed up for easy payments of just twenty bucks a month listed under Historical Treasures Society, membership fees.
and so it is very important to look at the multiple aspects of security -- not just one piece. overall, the various aspects of security have been just about wholly neglected by the PC industry in their rush to get us all commercialized.
and that's All Good. Soon's we get us a sheriff and a few good deputies to keep the badboys on their own side of the 'Net
If "Internet 2" is going to be a Secure Business Environment what will we need to change to get it that way? what must be done? how can we get the industry to do it (hopefully short of calling Oblahma).
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
If you were serious about good dental hygiene, you wouldn't floss, brush, then gargle only to tear into a package of Oreos five minutes later. Why, then, are so many of the world's biggest companies essentially doing the same thing where enterprise security is concerned?
Since security startups that scan baggage and passengers are all the rage now, this is probably as good a time as any to reconcile ourselves to racial profiling and other stereotyping that will come with them.
Google (Nasdaq: GOOG) is engaging in some very high-stakes gamesmanship, and it's picked an appropriately formidable opponent in the shape of the Chinese government.
Smarter Collaboration: How to Thrive in a Challenging Business Environment Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Data mining of social networks means people might face unforeseen consequences as a result of their seemingly innocuous personal choices and associations.
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Some of the "cool" people are testing a new Web service: Blippy. It could be a great data source for corporations to glean info about customers’ credit card purchases. But it has all sorts of possible privacy and security problems. Buyer beware!
E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
The sooner purveyors of cloud computing services can pass muster, security-wise, with financial services companies, the sooner cloud computing will really go mainstream.
In order for banks to grow, they'll first have to start by retaining their standing client bases. To do this will require better customer service and more transparency. Banks are meeting these needs through more automated commodity services and mobile banking applications.
The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
Data is at the heart of any financial services firm, but analyzing that data in real time, and making decisions and predictions based on that data, is where the future is – whether that is customer data, trading data, or even risk management data.
Financial services companies are focused on modernizing and consolidating their core applications. The goal is to provide a holistic customer view, become more agile, and offer new products quickly, in a personalized way. SOA is one key building block of this transformation.
Research shows that the youth of today like Facebook – but not blogging or Twitter. Does that mean Facebook has won, or just that it's not yet out of favor? Will all the services we see today fade into Ovaltine-or-Wheaties status in just a few years?
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
