sxsw ppt voice-1

My Voice is My Passport: Verify Me

March 12, 2012

2

About the Speakers Dan Miller (Founder, Senior Analyst)

Founded Opus Research (1985) Analyst at IDC/Link, The Kelsey Group, Zelos Group Industry experience: Atari, Time-Warner, PacTel (AT&T) Expertise: local, DA, speech integration with Web, mobility

and enterprise software infrastructure Coverage Areas: Conversational Commerce, Internet2Go,

Biometrics Isaac Chapa (VP Information Systems/Operations,

CSID) Joined CSID 2006, overseeing ID Theft Platforms/Solutions Sr. Engineer, Grande Communications Designed and integrated DCM/VOIP Switches, Billing

Platforms, SONET and FTTH, HFC networks

3

Why We’re Here

Talk about voice biometrics Share some ideas on stronger authentication for

mobile transactions Get feedback as prospective

users/developers/implementers Describe some “real world” use cases, business cases

and demand drivers

4

Voice Biometrics & Speaker Verification

Voice Biometrics is a technology Captures an utterance from a live callerCompares it to previously stored “voiceprint”Produces a score

Speaker Verification is an application Employs a biometric engine plus business logicEnrolls customers by obtaining voice printsCompares live utterances to voice prints to produce a

“pass” or “fail” responses

5

Speaker Verification Components

Core Verification EngineReceives voice sample (“utterance”); compares it to a voiceprint

(“template”)Confirms who said it

Core Recognition EngineCompares utterance to ASR grammarDetermines what was said

Business LogicDecides if the caller passes or fails Dictates required “next steps”

6

What is Voice Print?Physical Characteristics The unique physical traits of the individual’s vocal tract, such as shape and size.

Behavioral Characteristics The harmonic and resonant frequencies, such as accents, the speed of your speech, and how words are pronounced and emphasized.

Voiceprint - Together these physiological and behavioral factors combine to produce unique voice patterns for every individual

7

Text Dependent vs. Text Independent Applications that require a specific pass phrase are Text

DependentRequire trainingCustomarily involve enrollment

Text Independent applications can use any utteranceSimplify enrollmentSupport “conversational authentication”

8

Why Now?

9

Fraud Protection Requirements

Multifactor Mandated in more use cases Includes “something you are”

Multimodal Because “the customer is always on” Embraces social networks and multiple sign-ons

Mobile Approaching 6 billion subscribers Mobile devices are becoming virtual assistants

10

+ 1 = Momentum

Passwords getting more difficultMultiple digits and special charactersFrequently updatedFragmented across sites (and IDs)

User authentication vitalTo access multiple sites, domains and devicesFor more activities, transactions and interactions“Open” approaches only as strong as weakest link

11

Entering 3rd Generation

1st Generation

IVR PIN replacementPassword Reset

Emphasis on Security

“My voice is my password”“ 0 1 2 3 4 5 6 7 8 9”Random digit liveness

2000 2005 2010 2015

2nd Generation

Enhanced ID&VMulti-factor Auth

Automation

Voiceprint on identity claimLeverage KV & ANI/CLIRandom word liveness

3rd Generation

Enhanced ID&VSecure Mobile Access

Voice Signatures- Internet via OOB

- Mobile multi-mediaConvenience

Password replacementLeverage device idRandom phrase liveness

EmbeddedVerification

Source: Nuance Communications

12

Estimated Revenues

13

Results: Registered VoiceprintsIn Millions

14

This is My Wallet

15

This is My Wallet on Phone

16

Mobile Commerce is Exploding

Mobile transactionsWill reach $670 billion by 2015Up from $240 billion in 2011

Global in natureEast Asia and ChinaWestern EuropeNorth America

represent 75% gross transaction value. (Juniper Research)

17

But Inherently Insecure

At the device levelOSes have no security shellPersonal info (including PINs) stored as text

At the network levelEncryption is the exceptionProne to keystroke logging, Bluetooth sniffing and the like

What about authenticating users?

18

What Are We Protecting

Integrity Confidentiality Availability of Data

Loosely coupled from infrastructure Secure applications and runtime environments The critical focus of security shifts:

From owning everything to owning nothing From “Where are you from?” to “Who are you?”

• Identity, credential, and access managementFrom “Internal vs. External” to “Distrust everyone equally”

Need strong authentication independent from current form factors

19

What Are We Using Usually a four digit number.

There's only 10,000 possible combinationsFour character, alpha only, password has more than

45,000 possibilitiesAlphanumeric and there's more than a million and a half

Fast computers can crack these in less than a second (and often don’t have to)

20

Today’s Requirements “Layered”

To apply appropriate level of security for risk profile

Multi-FactorTo augment PINs or PWD

Device-orientedComplex device identification

considered more secure (per 2011 “guidance” from FFIEC)

21

Lead To These Solutions

Treating mobile phones as “non-traditional endpoints”

Popular solutions:One Time Passwords – using SMS textKnowledge-based Authentication –

using non-public info“A Biometric” – fingerprint, face

recognition, iris scans…and voice!

22

Before You’d Try These

23

You Should Think About These

User Authentication Device Activation Transaction Authorization Mobile Signatures Password Reset ID Proofing

24

Superior Factor for Phones

Works on all phones Includes both physical and behavioral attributes

Physical Characteristics The unique physical traits of the individual’s vocal tract, such as shape and size.

Behavioral Characteristics The harmonic and resonant frequencies, such as accents, the speed of your speech, and how words are pronounced and emphasized.

25

On Par With Biometric Alternatives

Error rates are “acceptable” Registration is relatively easy No special equipment needed for authentication Solutions integrate with or augment existing security

infrastructure

26

Has Surprising Acceptance

In contact centers8.5 million voice prints registeredROI justified shaving minutes from authentication practices

+ fraud reduction For remote and mobile workers

For Password ResetSecure access to VPNStrong authentication for conference calls

27

Applications & Use Cases

Personalized, trusted customer care Proof of life Mobile payment authorization Device activation, “Wake Up” Enterprise VPN access control Password reset Anonymous authentication

28

But Real Security Comes With

Layering multiple factorsLike gesturesLocationMotion detectionOut-of-band authentication

And leveraging existing infrastructureFor complianceAs a go-faster To support Natural Language Interactions

29

Thank you.

Dan MillerDmiller@opusresearch.net@dnm54 on Twitter

Isaac Chapaichapa@csid.com