The search for real-world data on voice authentication
Connecting state and local government leaders
Test results show need for more information on the impact of users' behavior and the type of phone being used.
SAN FRANCISCO'A biometrics lab at Purdue University spent more than a year studying the accuracy and reliability of a Chicago vendor's phone-based voice print service.
'We found out we have a lot more questions to ask,' said Andy Rolfe, vice president of development and operations for Authentify, Inc., a biometrics authentication company.
The company's Authentication Service processes about 1.5 million transactions a month in its data center outside of Chicago, confirming or denying the identity of Web service users for customers around the world.
'We're essentially an XML service center,' according to Rolfe.
When a user enters a Web site served by Authentify, the request is directed to the data center, which initiates a telephone call to the user so identity can be verified. The service provides an alternate, out-of-band channel for authenticating access to sensitive data. In theory, the service can provide very strong three-factor authentication. The telephone being called represents something the user has, in essence a token; responses to shared secret questions test something the user knows; and the comparison of the caller's voice with a voice print on file gives a biometric reading.
The Social Security Administration tested the system in 2003 for employers filing wage reports electronically. The DOD also has purchased a server to run its own voice authentication service. But real world numbers on accuracy were lacking. So Authentify turned to Purdue's Biometric Standards, Performance and Assurance Lab to get them.
Rolfe presented the results of the study at the RSA IT security conference.
'[I] think they were satisfactory,' Rolfe said. But, 'I think we can do better.'
The results showed a need for more information on the impact of the user's behavior and the type of phone being used.
Like most biometric security systems, Authentication Service can be tuned to high, medium or low to determine how picky it will be in matching a caller's voice with an on-file voice print. Right now, the system gives a false acceptance rate ranging from .49 percent at a high security setting to 1.5 percent on the low setting. False rejection rates are higher, ranging from about 9 percent on high to about 3 percent on low.
The study also found that the channel used by the caller also affects the accuracy of results. Overall, land lines beat cellular calls, and analog beat voice over IP.
The first phase of the study used live subjects who registered on the service and recorded their voiceprints. They then accessed their own accounts and tried to access other persons' accounts. Getting enough data to draw conclusions was time-consuming, Rolfe said. So in a second phase the process was automated somewhat. Once the subjects had registered with the service, their recorded voices were used to attempt access.
'Phase two didn't give us the numbers that we expected, based on the first phase,' Rolfe said. Surprisingly, it was easier for the recorded voices to get access to the wrong account than it was for a live subject. Further studies are planned to search for an explanation of this.
'Are there behavioral impacts when a live person is intentionally impersonating another person' on the phone? If there are, this information could be used to fine-tune the system and the prompts given callers to get more accurate results.
Also to be determined is just what it is about VoIP that makes it more difficult to get good voice matches. Is it the jitter, the quality of the hand-set, the codex, or something else? Stay tuned for further developments.
NEXT STORY: VA missing hard drive