Voice Biometric Authentication Best Practices: Overcoming Obstacles to Adoption

licoricebedsΑσφάλεια

22 Φεβ 2014 (πριν από 3 χρόνια και 5 μήνες)

103 εμφανίσεις






Voice Biometric Authentication
Best Practices: Overcoming
Obstacles to Adoption


Sponsored by:





As technology providers and system integrators around the world
successfully
bring

their solutions to market, we’re identifying the product
attributes
, architectures and deployment strategies that define the best
practices in layered, multi
-
factor and risk
-
based deployments of voice
biometrics.


January 2012


Dan Miller, Senior

Analyst


Opus Research, Inc.

350 Brannan St., Suite 340

San Francisco, CA 9
4107

For sales inquires please e
-
mail
info@opusresearch.net

or call +1(415)904
-
7666

This report shall be used solely for internal information purposes. Reproduction of this report
without prior written permissio
n is forbidden. Access to this report is limited to the license
terms agreed to originally and any changes must be agreed upon in writing. The information
contained herein has been obtained from sources believe to be reliable. However, Opus
Research, Inc.

accepts no responsibility whatsoever for the content or legality of the report.
Opus Research, Inc. disclaims all warranties as to the accuracy, completeness or adequacy of
such information. Further, Opus Research, Inc. shall have no liability for errors
, omissions or
inadequacies in the information contained herein or interpretations thereof. The opinions
expressed herein may not necessarily coincide with the opinions and viewpoints of Opus
Research, Inc. and are subject to change without notice.

Publi
shed
January 2012

© Opus Research, Inc. All rights reserved.



Voice Biometrics Best Practices

Page
ii


© 201
2

Opus Research, Inc
.

Table of Contents


A Defining Moment for Voice Biometric Solutions Providers

....................

1
 
Voice Biometric Ecosystem Members to Benefit

.............................

1
 
Overall Best Practice: Amplify Organic Adoption

............................

2
 
“Mobile” Means Feature Phones, Smartphones and Tablets

.............

3
 
Lessons from the past

................................
................................
......

3
 
Early Packaging and Perfor
mance Problems (HSN and Schwab)

.......

4
 
Positioning Presented Real Obstacles

................................
...........

5
 
Partnering To Address Perceived Deficiencies

................................

6
 
Organizational Issues: Battling Bureaucracies

...............................

6
 
Pricing and ROI Concerns

................................
...........................

9
 
The Next Chapter: Voice Biometrics Fosters Trusted Commerce

.............

9
 
Does Enrollment Equate to Loyalty?

................................
...........

10
 
Is Bulk

Enrollment a Possibility?

................................
................

10
 
What’s in the Wings for Authentication?

................................
.....

11
 
Is Text
-
Independence a “Best Practice”?

................................
....

11
 
Promoting Trust and Long
-
term Relationships

.............................

12
 
Fitting into Multi
-
Factor Solutions

................................
..............

12
 
Expect Accelerated Adoption

................................
...........................

13
 

Tables


Figure 1: Global picture for Registered Voiceprints

................................
....

2
 
Figure 2: Response to customer survey re: voice biometrics

....................

10
 

Voice Biometrics Be
st Practices

Page
1


© 201
2

Opus Research, Inc.

A Defining Moment for Voice Biometric Solutions Providers

As we look ahead in 2012, recent events are likely to accelerate demand for
voice
-
b
ased authentication of individuals using mobile phones and other
devices. The largest search engine company in the world, Google, is
acquiring the longest
-
established manufacturer of mobile phones, Motorola
Mobility, and has well
-
publicized plans to turn p
hones into electronic wallets.
Meanwhile the largest provider of token
-
based authentication systems (RSA’s
SecureID) has been hacked, generating a lot of news coverage and further
demonstrating the weaknesses of “traditional” authentication approaches.


Fo
r the security professionals among the largest commercial banks in the
United States, January 1, 2012 mark
ed

an important deadline for compliance
with guidelines from the Federal Financial Institutions Examination Council
(FFIEC) regarding fraud prevention

on Web
-
based e
-
commerce sites.
Hardening the phone channel has become an important component of those
efforts. The FFIEC’s counterparts around the globe
-

and there are dozens on

a

regional level, like the Committee of European Banking Supervisors
,

and
o
n
a

national level, like the Monetary Authority of Singapore,


have issued their
own guidelines for processes and procedures to prevent fraud and protect
privacy.


These recommendations have been a boon to voice biometrics for two
reasons. Stronger prote
ction of Web
-
based resources expose the phone
channel as a “weak link” in the fraud protection chain. Second, IT analysts,
led by Gartner
,

have recently begun recommending a combination of
authentication methods that include voice biometrics and reportedly

expect
at least one large financial institution to implement voice biometric
-
based
caller authentication by 2013.


Voice Biometric Ecosystem Members to Benefit

The longest
-
standing, leading providers of voice biometric
-
based “engines”
are Nuance (which a
dded technologies from PerSay and Loquendo to its mix),
Agnitio,

VoiceVault and VoiceTrust. Each has many years of experience
packaging their technologies into solutions

and

building partnerships with IVR
makers, application providers and integrators. They

are joined in the market
by a number of companies with portfolios of speech
-
based solutions that
include a voice biometric engine to support speaker detection and
identification, as well as authentication. That list includes STC
-
SpeechPro,
Voice Biometric
s Group, Finivation and a few others.


The efforts of the engine providers are joined by a number
of
solution
providers who comprise a longer list of competitor
s

or
their
successor firms.
A number of these companies entered the market by acquiring IP from
voice
biometric “pure
-
plays” and incorporating it into a broader portfolio of identity
management, risk management or security services. They are exemplified by
CSIdentity, an identity management firm that acquired core software from
VoiceVerified; Fujitsu

Ltd, which acquired the IP that was developed by Kaz
from Australian network operator Telstra; and ValidSoft, a company that
Voice Biometrics Be
st Practices

Page
2


© 201
2

Opus Research, Inc.

specializes in fraud prevention normally associated with
payment cards, the
internet

and

telephone channels.


The ranks of voice
biometric solution providers
are

rounded out by a group of
software developers and system integrators that often take a COTS
(customizable off
-
the
-
shelf) approach to bringing solutions to the market.
Leading Software is an example of this category. Working

with a large
integrator like Atos
-
Origin, it is finding success by helping large enterprises
shorten the time it takes to get an enrollment system up and running or to
integrate with existing IVR (interactive voice response) systems. System
integrators th
at specialize in contact center automation are another set of
candidates with go
-
to
-
market strategies for voice biometric
-
based solutions.
These include
Datapoint, Salmat

and

IBM Global Services.


Overall Best Practice:
Amplify Organic Adoption

Both custom
er care and security specialists see the value of establishing
higher levels of trust with their customers and fellow employees. That
equates to stronger authentication of individuals, not “end
-
points,” tokens or
mobile devices. With Apple’s introduction o
f Siri, a speech
-
enabled mobile
assistant, the general public is getting tuned into the power of the spoken
word for search, control and dictation. Authentication will not be far behind.
The pre
-
requisite here is one of packaging.


Figure
1
: Global picture for Registered Voiceprints


Source: Opus Research (2011)


The result of these “best practices” is reflected in the slope of the curve in
Figure 1, which is Opus Research’s forecast for registered voiceprints on a
global basis. N
ote that, in this document we sometimes refer to “indicated
best practices” which we define as the approaches that solution providers
Voice Biometrics Be
st Practices

Page
3


© 201
2

Opus Research, Inc.

have indicated they will carry forward because they are finding the highest
acceptance rates in real world implementations
.


Voice biometric solution providers are unlikely to be able to change behavior
among the general public. But they can demonstrate how automated speech
processing, when coupled with “artificial intelligence” (AI) as it is with Siri, is
an empowering force
. Early application of multi
-
factor authentication
(including voice biometrics) helps accomplish two very important goals. First,
as people carry out more e
-
commerce and other routine activities on their
phones, biometric
-
based security will help prevent f
raud in general. Second,
during each conversation, strong authentication promotes “trust,” meaning
that both parties can have confidence that they are in touch with the
individual that they want to carry out business with.


“Mobile” Means Feature Phones,
Smart
p
hones and Tablets

Enterprise security experts know that they cannot rely on any single factor,
but
must instead
look to more robust security methods. As soon as a C
-
level
executive starts using her iPad for work
and
personal use, it becomes more
impo
rtant to authenticate the person who’s in possession of that

device
. The
move to mobile makes user authentication more important than ever
,

precisely because it is no longer sufficient to merely secure hardware
endpoints. Participants want assurances that
the individual at that endpoint
is the person he or she claims to be.


Waiting in the wings are large
-
scale implementations by large government
agencies that have the need to closely manage disbursement of transfer
payments (like social security or unemplo
yment benefits). Such
implementations have already moved past the “pilot” stage in Australia and
New Zealand. The largest pension organization in the Philippines has been
offering voice
-
based authentication of retirees, leveraging an existing
smartcard
-
bas
ed identification/verification infrastructure. The ability to enroll
and authenticate remotely has proven to be valuable in
all
of these cases.


Lessons
f
rom the
p
ast

The rest of this document provides specifics surrounding
what Opus Research
regards as “
b
est practices


based on the lessons learned over more than a
decade of bringing voice biometric
-
based solutions to the market.
In it we
evaluate a set of offerings, including proof
-
of
-
concept, trials and formal
offerings, that failed to reach a level of en
rollment or use that would deem
them successful. Our assumption is that today’s best practices


at the very
least


will be those that correct long
-
standing shortcomings
. This
will lead to
high growth in both the enrollment of voiceprints and the repeated

use of
voice authentication.

To support our efforts, we will organize the roots of failure into five major
categories:

Voice Biometrics Be
st Practices

Page
4


© 201
2

Opus Research, Inc.



Product shortcomings
-

including technological failures, which were
prevalent in the “first generation” of voice biometric
-
based
authen
tication 1999
-
2003.



Packaging


addressing how well the technology was integrated into
solutions to known problems
.



Partnerships and Promotion


looking at the go
-
to
-
market strategies
and

relationships with

system integrators,

third
-
party solution
provider
s and specialists in adjacent industries like identity
management and credit service bureaus.



Personnel


assessing the considerations that need to be given to
organizational
structure on
both the buy side and the sell side
,

as
solution providers learn whi
ch executives and departments influence
acquisition and implementation strategies.



Pricing issues


looking at
the ROI of specific implementations and
making
comparisons to alternative forms of authentication, access
control and transaction authorization
.


Early Packaging and Performance Problems (HSN and Schwab)

In July 1999,
Home Shopping Network (
HSN
)

deployed the world's largest
voice authentication installation using
Nuance
Verifier
(provided by the “West
Coast Nuance” which was acquired by Speechworks
/Scansoft in 2005)
to
identify and authenticate frequent shoppers by comparing their voice against
their pre
-
registered voiceprint.
By mid
-
2000, HSN had enrolled the
voiceprints of over 430,000 frequent shoppers and claimed to be adding
10,000 new customer
s each day. According to Nuance promotional literature,
the system handled

more than 160,000 calls per day and
the system

significantly reduced agent call times.

At the same time,
retail brokers
Charles Schwab and Aim Investors Service,
had launched voice

authentication services for phone
-
based services. Schwab,
Aim and HSN all reported high levels of customer satisfaction and a positive
return on in
ve
stment (ROI) based on shorten
ed

phone calls, higher
automation rates and stronger customer loyalty. But th
ese high
-
profile
deployments, and others, exposed two problems in the packaging and
promotion of voice biometric solutions.

Regarding packaging, voice biometric
-
based solutions were positioned almost
exclusively as “speech applications,” closely mated to
interactive voice
response
(
IVR
)

systems

(those computers that answer the phone and offer
voice menus)
, rather than as authentication mechanisms that could leverage
existing security and business process management software and
infrastructure. This positio
ning led to an overall failure of the early
deployments to deliver acceptable performance rates
,

as large customers,
like HSN and Schwab
,

sought to achieve large
-
scale deployments.

Packaging also jeopardized the solutions’ ability to scale. Nuance’s Caller

Authentication and Speechworks’ solutions were positioned as enhancements
Voice Biometrics Be
st Practices

Page
5


© 201
2

Opus Research, Inc.

to core speech recognizer technology. This created performance, cost and
scaling issues which led early implementers to abandon their projects
.
Retailers, for example,
found it
risk
y
to
ramp
-
up
enrollment and
authentication system
s
that were
placed

in the

critical path


for revenue
-
generating activit
ies
. They often slowed the purchase activities of
t
heir most
desirable,
strategic customers. The services were quietly abandoned in ord
er
to avoid highly
-
visible, costly failures.

Today’s voice biometric
-
based authentication engines start with greater
accuracy than the turn
-
of
-
the
-
century technologies. Solution providers also
benefit from

indicated
best practices that package voice
-
based
authentication
as an extension of existing caller authentication and imposter detection
software and services. Thus, the primary point of integration is
not

an IVR.
Instead, solutions are, more accurately customer
-
centric and context
sensitive, leveraging
business logic to apply the proper level of security as
needed given a caller’s identity and the nature of the transaction being
undertaken. They also leverage the token
-
based service that back
-
ends
today’s PIN and Password infrastructure.


Positioning Pre
sented Real Obstacles

During the period of time between 1999

and

2006, innumerable deployments
were delayed or postponed as they came under
the
scrutiny of
chief
security
officers (CSOs). Because vendors made the mistake of positioning voiceprints
as “PIN
replacements,” they created formidable barriers to adoption. They
seemed to be saying voice biometrics are “all about security.” CSOs or their
staff members were more than happy to sit on vendor selection committees
to challenge the accuracy and efficacy o
f voiceprints. The problem was that
PIN
-
based systems seldom experienced a technical failure, but “usability
failures,” in the form of forgotten PINs,

were
already high.


In fact, t
he

problem of forgetting PINs and passwords

is about to go into
overdrive
as large firms attach more strictures on their employees. Access
control is no longer based on four
-
digit PINs. Passwords or pass phrases now
must be at least six characters in length and include at least one number and
one special character. They must be
refreshed or replaced every three
months, and employees are forbidden to repeat an old password within a 12
-
month period.
But the

result is a less secure environment
,

as employees
create text files on their smartphones that include all of their passwords o
r,
more commonly, just write their password on “Post
-
It” notes
,

which they
stick to their computer screens.

Today,
Opus Research regards
best practice
in access control
to be
the use of
voice biometric
-
based authentication in ways that are consistent with
existing
business rules and processes. Successful vendors convey the message that

access control


is

about speed and convenience, as well as security.” This
presentation shifts the measure of success away from the rigid idea of “zero
false accepts” (which
is an inaccurate term anyway), to

one of

address
ing

“log
-
in failure” (based on technology, usability or other factors)
,

which can
be reduced in the interest of creating a better user experience.

Voice Biometrics Be
st Practices

Page
6


© 201
2

Opus Research, Inc.


Partnering To Address Perceived Deficiencies

Voice biometric
-
based authentication platforms are on the front line and in
the critical path of all manner of secure e
-
commerce. Thus it is
understandable that large companies in financial services,
telecommunications, healthcare and retailing might hesitate to contract

with
small, unproven firms. This explains why a number of the early adopters with
large, customer
-
facing implementations contracted with large system
integrators or solutions providers. For example,
telecommunications

company
BellCanada’s implementation w
as built on PerSay (now Nuance)
VocalPassword technology, but IBM Global Services acted as system
integrator and project manager.

IBM Global Services also acted as the integrator/solution provider for
Volkswagen Bank, when industry upstart VoiceTrust was s
elected to provide
core technology for a large password reset application in 2004. The hosted
services and business process outsourcing (BPO) division of telecom giant
Telstra was the solution provider to Australia’s
social security administration
,
Centrel
ink. Even for smaller implementations, like the hundreds of thousands
of customers for AHN or WestPac bank, the likes of Salmat or Dimension
Data act as go
-
to
-
market partners for lesser known and newer technology
providers.

Larger partners like IBM GS ser
ve a dual role. They can bring a team of
software professionals who are familiar with a large firm’s existing enterprise
software infrastructure. But just as importantly, they can serve as a single
-
point
-
of
-
contact (the proverbial “one
-
throat
-
to
-
choke”) wh
en
implementations hit bumps along the way to full deployment. Plus, through
their size and access to insurance, they can indemnify smaller companies
should there be a system failure that creates an economic loss for the client.


Organizational Issues: Ba
ttling Bureaucracies

Protracted vendor evaluation exercises and trials characterized many of the
deployments between 2002

and

2010. Characteristics of customers in the
targeted sectors


f
inancial
s
ervices and
l
arge
g
overnment
a
gencies


contributed to the

long sales cycles. Among commercial banks, ABN

AMRO
provides some object lessons about the impediments to adoption and related
roll
-
out issues. As for large government implementation, there are lessons
that can be learned regarding
Australia’s
Centrelink
.
.

Let’s start with Centrelink because organizational and architectural issues
introduce unparalleled levels of complexity. Among them:



Deployments are political processes that “move at the speed of large
governments”



Planning and testing cycles were exceed
ingly long to accommodate
pre
-
established approval procedures



User experience for enrollment (specifically length of calls) was treated
as a secondary or tertiary issue (behind accuracy and security)

Voice Biometrics Be
st Practices

Page
7


© 201
2

Opus Research, Inc.



Process was gated by
the
long
-
term procurement cycle. In

this case
the entire government telecom infrastructure (including contact
centers) is outsourced and periodically renegotiated on ten
-
year cycles

In brief, Centrelink was a huge undertaking, involving 4,000 staff members
operating out of 25 call centers a
nd handling a potential 33 million calls each
year. By mid
-
2010 it was enrolling 800 new users
each month
and handling
7,000 authentications, which seems modest in a country where 150,000 calls
are handled by the agency’s IVR on a daily basis. The target w
as to serve “all
450,000 PIN users.” Latest assessment is around 200,000.

Voice authentication was only “one of many” IVR applications. It was also
treated as one of seven major IVR applications relevant to user
authentication. It was primarily treated as
a PIN replacement when PINs are
forgotten or they expire. Trials were also delayed during protracted vendor
evaluations.

Lessons
learned
,

according to

David Wright,
the Centrelink
project manager
,
include
:



Make sure security is balanced with customer usabi
lity



Engage your stakeholders early in the process and take them along
the journey with you



Prove the technology works and gain business confidence



Be ready to adapt
,

including improving call flows and
/
or business
rules



Think about the future
,

includ
ing
upgrades / new technology



Plan ahead for change
,

for example
an
aging template

These cautionary suggestions, especially those involving the engagement of
stakeholders early in the process, can be considered best practices for
implementations in large busi
nesses as well as government bureaucracies.

This brings us to ABN

AMRO, which provides another set of cautionary
considerations for today’s solution providers. In this case
,

a commercial bank
sought to differentiate itself by
giving a high profile to a

nov
el
approach to
user authentication and security. In 2007, as it started to evaluate and
deploy speaker authentication in its contact centers, it was one of the top 20
independent banks in the world. Its Dutch contact center received over 35
million calls e
ach year and all but 7 million were routed to live agents.

In 2006 ABN

AMRO began two separate but related initiatives surrounding
speech technologies. One was to replace the menu
-
driven IVR systems
with

voice
-
based self
-
service with speech
-
recognition
-
bas
ed navigation. At the
same time the bank initiated a “PIN replacement” effort that closely linked
voice biometric
-
based user authentication with a token
-
based device. In
essence it was replacing the “PIN” part of “Chip and PIN” with a spoken
passphrase. Th
is approach was quite different
to
other layered, multifactor
approaches that we had observed.

Voice Biometrics Be
st Practices

Page
8


© 201
2

Opus Research, Inc.

Opus Research believes that replacing PIN
-
based authentication with an
approach that requires unique hardware and multiple steps, where entry of a
simple PIN wou
ld have sufficed, was a barrier to adoption. While it was
promoted as a mechanism for voice
-
based verification of frequent callers,
bank management approved the technology based on the use of a hardware
token as a back
-
up for the less frequent callers.

In
addition to the speech navigation and multi
-
factor token approaches
described above, ABN

AMRO initiated a separate project to evaluate voice
verification. It evaluated speaker verification products from five global
vendors and actually selected a single vo
ice biometric authentication provider
(VoiceVault) in 2007. Based on a Proof
-
of
-
Concept among over 1,400
participants, project managers and bank management were convinced that
the technology was ready to implement with its general customer base. The
bank e
ven did customer surveys and determined that 83% of its customers
preferred voice verification to the traditional PIN; 99% would use it to gain
access to balance info and nearly
75%

would use it to initiate a money
transfer.

The acquisition of ABN

AMRO by
a consortium of financial institutions,
including Royal Bank of Scotland (RBS), Fortis and Bank Santander, probably
led to the demise of the voice verification project. RBS and Santander had
voice verification initiatives of their own, with Santander being

among the
earliest implementers of customer
-
facing caller authentication. Fortis, on the
other hand, after being ranked among the 20 largest companies in the world
in 2007, was forced to sell
-
off most of its operating units during the financial
crisis of
2009. In the midst of both internal and external turbulence, the
voice authentication efforts of ABN AMRO were quietly shut down.

Both Centrelink and ABN AMRO helped the core technologies cross some very
important thresholds. They achieved “false accept ra
tes” (FAR) and “false
reject rates” (FRR) that were considered quite acceptable both by callers and
by security personnel. ABN AMRO was also able to demonstrate that its
approach, employing the VoiceVault engine, was able to detect and reject
efforts to th
wart the system using tape replays. The bank had plans to roll
out several applications in the fourth quarter of 2008, bringing voice
-
based
authentication to support retrieval of account information, money transfers
and stock trading to
4 million clients
,
whom it expected to enroll on a
voluntary basis.

In addition to falling victim to the banking crisis of 2008
-
2009, ABN AMRO
found out

that taking a voluntary or “opt
-
in” approach to enrollment
present
ed

a formidable barrier to adoption. The three largest
implementations (BellCanada, Global Bilgi/Turkcell and Aeroplan) have
implemented enrollment procedures


considered “best practices”


that, in
effect, market voice biometric
-
based authentication to inbound callers.
Scripts or live agents explain the adva
ntages of enrolling “for more secure,
speedy and convenient future interactions” and then proceed to march them
through the enrollment process.
Customers

must opt

out of the onboarding
process, at which time they are routed to existing authentication resou
rces.

Voice Biometrics Be
st Practices

Page
9


© 201
2

Opus Research, Inc.

Global Bilgi and Aeroplan report that fewer than 20% of callers choose to opt

out of the process, and some of those

who

fail to enroll do
so due
to other
circumstances, such as noisy environments or bad telephone connections.


Pricing and ROI Concer
ns

There is much evidence that many firms
have
found themselves unable to
cost
-
justify voice biometric implementations.
This
is quite frustrating for
veteran sales people in both the security and the speech application domains.
At
a time when e
-
commerce fr
aud and identity theft is reportedly at an all
-
time high, it is frustrating that banks, credit card issuers, major retailers and
even government agencies find it necessary to leave the losses from such
activity largely undisclosed. What’s more, they seldom

“connect the dots”
between strong authentication and reduction in such fraud losses.

By contrast, the providers of speech
-
enabled applications have become adept
at proving the ROI of their solutions by documenting that the combination of
speech
-
based navi
gation and voice biometric
-
based authentication shortens
the average time that it takes for a caller to complete a phone
-
based
transaction. For high
-
volume, customer
-
facing contact centers, saving
seconds can amount to millions of dollars in savings over t
he course of a year.

Opus Research sees that a

best practice in pricing is to bring
implementation
costs in
line with the expected savings that will result from the reduction in
call times. Th
ese are

the “hard dollar” savings

resulting from reduced
personn
el costs, minutes of use on communications networks and facilities
costs.

B
eyond these documented benefits are “soft” benefits that related to
customer satisfaction, retention and the ability to upsell and cross
-
sell based
on rapid authentication of caller
s and high

levels of confidence that the
individual on the other end of a phone call is, indeed, who he or she claims to
be.
But the
unspoken benefit of strong authentication is, of course, fraud
reduction. While most companies (especially among financial
services
providers, card issuers and retailers) are loathe to reveal exact figures for
fraud losses, they are well
-
aware of the “hard” dollar benefits of fraud
reduction.


The Next Chapter: Voice Biometrics Fosters Trusted Commerce

Success at BellCanada, G
lobal Bilgi and Aeroplan, along with password reset
applications
-

representing roughly 8 million registered voiceprints by the end
of 2010


provides sufficient evidence that the technology works at scale.
Now that the umbrella concern about the technolog
y has been laid to rest,
attention rightfully turns to defining the use cases and solutions that provide
the best user experience
.


Service providers frequently survey a range of individuals to learn whether
they are likely to enroll their voiceprints and
derive benefits from voice
-
based
authentication. Most recently,
F
inancial
Sector
Technology (FSTech)
M
agazine surveyed over 100 CISOs and heads of

s
ecur
ity at financial
institutions. M
ore than two
-
thirds of respondents stated that guarding
against card
-
rel
ated fraud was a top priority.

Voice Biometrics Be
st Practices

Page
10


© 201
2

Opus Research, Inc.


More importantly, as shown in Figure 2,
nearly
twice as many respondents
believe that voice biometrics has a role to play in reducing fraud, than those
who don’t.


Figure
2
: Response to customer sur
vey re: voice biometrics


Source: Validsoft/FSTech Security Sentifment Survey (2011)


Among lessons
learned

from past implementations,
issues
surrounding initial
enrollment and building a base of protected users rank very high
ly
.
These,
along with other
lessons
learned
, raise the following questions, discussed
below:

issues.


Does Enrollment Equate to Loyalty?

Acceptance and repeated use of voice
-
based authentication s
tarts with an
enrollment process that puts emphasis on a long
-
term relationship. The
la
rgest implementers have learned that a proposition that says, “We’d like to
take about 3 minutes of your time to save you a minute on all your
subsequent calls” elicits a significant positive response and a large
percentage of callers opt in to the service
.

When it comes to promoting a loyal, long
-
term relationship,
hosted voice
biometric solutions provider,
VoiceTrust
,

experiences very high enrollment
rates for its G2P (Government to People) transfer payment services. In this
case, registering one’s voice
print is a pre
-
requisite for receiving pension
benefits.


Is Bulk Enrollment a Possibility?

Because some compliance directives (in healthcare, insurance, banking)
require audiofiles to be stored for a matter of years, it has been suggested
that large comp
anies could take advantage of this rich set of spoken
utterances to engage in bulk caller authentication. Once a single speaker’s
voice has been isolated from others on a phone line and it can be associated
with a known identity and, upon capture of suffic
ient spoken material, be
distilled into

a

voiceprint.


Voice Biometrics Be
st Practices

Page
11


© 201
2

Opus Research, Inc.

There are ethical, and perhaps legal
,

issues associated with this “passive”
approach to enrollment. But some vendors have argued that callers can be
informed that their voice is being recorded to prov
ide more convenient
security on future calls. It cannot be characterized as a “best practice” and,
given the pace
at which
buyers move to new approaches, it probably won’t
be
come

a common practice either.
What is more, t
he “creepiness factor” will
always b
e very high for capture of personal characteristics (whether voice,
fingerprints, iris scans or pictures of one’s face)
; it will always seem

surreptitious.


What’s in the Wings for Authentication?

The most common practice, when looking at the largest, cus
tomer
-
facing
implementations, is the use of a pass phrase


such as “my voice is my
password”


for speaker verification. Such “text
-
dependent” solutions
predominate because they
have proven

demonstrably more mature.
Enrollment routines are well
-
defined
,

E
qual Error Rates (EER) are well
documented and tools exist for assessing scores and adjusting acceptable
False Accept Rates (FARs) and False Reject Rates (FRRs) to suit each use
case.


Where randomness is required, as part of a routine to discourage replay

attacks, a digit
-
based system is well
-
received

by current implementers
. In
these instances, enrollment involves capturing the digits zero
-
though
-
nine

a
number of times from which the voiceprint is distilled. For authentication, the
digits are displayed in

a random order so that the replay of a tape
-
recorded
pass phrase would not be accurate. Providers of pass phrase
-
based
authentication systems have other ways of detecting the use of a tape
recorder, such as detecting a “tape hiss” or
humming sound

that co
mmonly
occurs with playback equipment.


Is Text
-
Independence a “Best Practice”?

Text
-
independent methods for enrollment and subsequent authentication
are

making slow headway out of development labs and the government sector,
where text
-

and language
-
indepe
ndent solutions have matured as part of
surveillance and speaker detection schemes. Prior to acquisition by Nuance,
PerSay had installed its FreeSpeech solution at a commercial bank in Israel.
Text independent, “passive,” enrollment has been demonstrated f
or several
years. A few investment houses have trialled “convenient and secure”
interactions to high net worth individuals.


Text
-
independence equates to language
-
independence as well and, for that
reason, a number of multi
-
national banks have been monitor
ing or trialing
new systems with an eye to determining the minimum length of spoken
utterances required to build a voice print (
this
had been 30 seconds to a
minute but has been reduced to 20 seconds “in the lab”) and the minimum
amount of “conversational
speech” to do an accurate authentication (moving
toward 10 seconds).


Voice Biometrics Be
st Practices

Page
12


© 201
2

Opus Research, Inc.

As layered, multi
-
factor and risk
-
based authentication solutions prevail, we
expect to see more creative, text
-
independent applications. In many
industries, enterprises are required to m
onitor and record
all

phone
-
based
interactions, which means that a certain amount of forensic work can be
performed on stored audiofiles. Text
-
independent solutions can support
“passive” enrollment as well as “speaker change detection,” for which there
is
an obvious need
from
educational institutions that offer remote testing or
certification

and

need assurance that the person taking the test is the person
he or she claims to be. There are similar applications for companies with
virtual contact center
s

that

require work
-
at
-
home agents to authenticate
themselves at the beginning of a shift but offer no assurance that the same
person is there to complete a shift.


Promoting Trust and Long
-
term Relationships

After initial enrollment, constant behavioral reinfor
cement is required to keep
interest and activity up. The most conspicuous and appropriate applications
have been for financial services companies who have launched voice
biometric
-
based authentication services designed to give
h
igh
n
et
w
orth
i
ndividual
s

co
nfidence that their financial services provider is making a
special effort to provide good service and high levels of security.

Citing VoiceTrust once again, as part of its “proof
-
of
-
life” service the first
registration must be in person, but after that t
he company uses a proprietary
algorithm to compensate changes that happen with age.


Fitting into Multi
-
Factor Solutions

The mission
for

solutions providers at large is to make voice biometrics part
of a multi
-
factor, layered solution that provides

a

highl
y secure, convenient
service to targeted customers. This will become especially important as
transactions of all kinds are initiated from mobile devices and it becomes
more crucial than ever before to authenticate the individual in possession of
the mobile

device through which each transaction is initiated.


ValidSoft, which entered the marketplace with a four
-
factor approach to user
authentication, VALid
®
, exemplifies a set of best practices in terms of building
confidence that a company is not dealing wi
th an imposter. Voiceprints,
representing “something you are,” are taken into consideration with
“something you have” (a mobile phone), “something you know” (usually a
PIN or password) and “
some
where you are


(
or are

not),
which can be
ascertained using
Va
lidSoft’s Proximity Correlation Logic
.

By incorporating all
four factors into a single platform,
along with a number of

invisible


real
-
time checks
,
the company is able to support strong authentication in a non
-
intrusive, convenient way.


In all cases, su
ch solutions should provide a pleasing experience for callers.
One strategy is to closely link voiceprints with a very convenient mechanism
for strong authentication on an “as
-
needed” basis. Other factors that may
come into play are obvious signs that an i
ndividual is an imposter. For
Voice Biometrics Be
st Practices

Page
13


© 201
2

Opus Research, Inc.

example
if
a customer living in Bethesda, MD, originates a call from Sudan or
a caller named “Dan Miller” has a decidedly female voice.


When it comes to detecting imposters or assigning the “high
-
risk” tag to a
particular cal
ler or individual the “voice channel” alone does not provide all
the answers. Most large businesses already have rule
-
based systems and
business logic in place to support the goals of the Chief Security Officer.
These well
-
established and time
-
tested rules

are the ones that should be
applied to govern the level of risk associated with the individual on the other
end of the phone or at a student or employee
’s

workstation.


Expect Accelerated Adoption

Bolstered by real world experience, regulatory guidelines
and analysts’
recommendations, executives at financial services companies, healthcare
providers and telecommunications service providers are forging ahead with
plans to implement voice biometric technologies. In this document, Opus
Research has identified
approaches to user enrollment and subsequent
authentication that overcome long
-
standing barriers to adoption by creat
ing

a pleasing and engaging user experience and leveraging existing security
infrastructure to support the goal of fraud prevention.


To an
swer the question, “What has changed?” in regards to adoption of the
technology in the past year: companies are finding that both employees and
customers have grown comfortable using multiple mobile devices and making
seamless transition
from

real
-
time con
versations to
ones that happen over a
period of time via
texting, chat, tweeting or other social network
-
based
tools
.
What’s more, they use smartphones, wireless PCs and laptops as “mobile
assistants,” on which personal contact lists, applications and data

coexist
with sensitive information that is supposed to be under tight corporate
control.


In the social, mobile environment, user authentication (as opposed to device
-

oriented access control) has become more important than ever before in
order to
preven
t
unauthorized access to corporate resources.

Meanwhile,
“user experience” aficionados are new to the security discussion, but
have
rapidly c
o
me to a similar conclusion: banks, insurance companies,
government agencies, telcos and retailers serve customers,

not their phones
or other devices. Over time, they will find that strong, rapid authentication
will enable them to serve their best, longest
-
standing customers in the most
personal and efficient way. Because the devices are often phones, voiceprints
are p
erceived as the most natural and efficient authentication mechanism. In
conjunction with “layers” of other factors, protocols and business rules,
decisionmakers
are making

voice biometrics part of security solutions that
provide high levels of confidence
a
nd

foster stronger customer bonds over
time.


To support secure, customer
-
centric e
-
commerce using voice biometrics, the
time is now.