November 2001
 

BY RICH TEHRANI

Security enhancements, much as we may like them in principle, may give us pause in practice. Such enhancements can be expensive. They can be inconvenient. Even offensive. For example, banks have had mixed success, at best, in their experiments with fingerprint-protected accounts. Fingerprinting can feel intrusive. And it has unpleasant associations with criminals. Who could fault bank customers for feeling, at some level, that fingerprinting, while appropriately imposed on criminals, is an indignity from which law-abiding citizens should be spared?

Fortunately, security measures don't have to be intrusive to be effective, even if they rely on biometrics. Granted, some forms of biometrics seem awkward. Biometric measures rely on detecting what is unique -- biologically unique -- to individuals. An obvious example, which we've just discussed, is fingerprinting. Other examples include retinal scans, which examine the unique veining patterns within the eye, or palm scans, or facial scans. Unfortunately, these scans can be awkward, physically and socially. But there is another kind of scan, another variant of biometrics that is relatively graceful -- the voice scan.

SPEAKER VERIFICATION
Few activities are as natural as speaking. The naturalness of speaking is, in fact, the basic impetus to all of the innovation we see in voice/data convergence. Voice is natural. Data, as marvelous as it may be, is not. Thus, we try to use voice to humanize data. We can use voice to humanize security or, at the least, minimize its inherent awkwardness.

At this point, we need to make an important distinction. We need to emphasize the difference between voice biometrics and speech recognition. To date, speech recognition technology has enjoyed much wider commercial deployment than voice biometrics technology. Speech recognition is speaker independent. It detects what you say. It does not, however, detect whether you are who you claim to be. This matter of identity is quite beyond speech recognition. Rather, it is a matter for voice biometrics, which is manifest in commercial applications that are called speaker verification or speaker authentication. In the past, the term voice recognition was sometimes used to refer to these speaker-dependent applications, but it has been so frequently confused with speech recognition that it is perhaps best forgotten. And largely forgotten it is, if my experience with Internet search engines is any indication. My searches for the keyword "voice recognition" yielded relatively few hits, compared with the many hits based on the term "speaker verification." In any case, the important thing to remember is, whereas speech recognition is concerned with what is being said, speaker verification is concerned with who said it.

But why rely on biometrics, even a relatively convenient form of biometrics, at all? The most compelling answer to this question may be that the present alternative, the password, whether entered at a touchpad or keyboard, is inadequate. Passwords are too easily faked or stolen by those who have no right to them. And those who do have a right to them too easily forget their passwords. We all struggle with the burden of remembering too many passwords. Unfortunately, the mechanisms we use to cope with password glut expose us to fraud. For example, we might resort to easy-to-remember passwords, or reuse the same password for multiple accounts. And what passwords are easily remembered? Names or dates that are significant to us. And any would-be fraud might have to do but a little investigating to tease out meaningful names and dates.

PASSWORD PROTECTION
I remember the anecdotes related by Richard Feynman, the Noble prize-winning physicist, who told of his days at Los Alamos. While at Los Alamos contributing to the creation of the atomic bomb, Feynman entertained himself by developing a reputation as a safecracker. The joke was that Feynman never actually cracked a safe by teasing the tumblers and listening for subtle clicks. He relied on what he described as psychological factors. He reasoned that anyone who set a combination lock would either select an easy-to-remember combination, or write it down somewhere, or even both. Thus, when challenged to crack a safe in which were secured sensitive documents, he could, given enough time, learn enough about the person responsible for the documents to figure out the combination and open the safe. Or sometimes he just spotted the combination scribbled on a pad somewhere.

Feynman took care not to reveal his methods. He found it much more fun to witness the shock on his victims' faces when they discovered just how vulnerable they were. An extreme example: once Feynman removed extraordinarily sensitive documents from a supposedly secure file cabinet and hid them in a nearby closet. Then he confided in the person responsible for these documents that rumors were circulating about document-stealing spies. In this case, the victim of the prank imagined he could reassure Feynman by opening the cabinet to reveal the documents were where they should be. Of course, they weren't. But even Feynman was shocked, and not a little sorry, when he saw the poor man he had duped was so sickened with shock and fear that he had literally turned green.

We can only hope that none of us need turn a sickening shade of green before we recognize the inherent weakness of password protection. But even if we do recognize the need for something better, can we identify alternative measures that are both effective and convenient, and capable of more or less immediate implementation? More to the point, is speaker verification just an interesting technology, or is it commercially practical?

My experience suggests it is. Recently, Communications Solutions staff witnessed a demonstration of speaker verification while visiting the offices of Ottawa Telephony Group, or OTG. The OTG representatives showed how easy it was to enroll a user into a speaker verification system. Enrollment involved responding, by voice, to system prompts, that is, a few specific but simple questions. (First, middle, and last name, or day, month, and year of birth.) Once enrolled, users would restate their answers, this time as passphrases, whenever they wished to access personal data.

Enrollment took only a minute or two. For each of the three questions in our demonstration, the user had to provide four samples of the answer. The samples, at a minimum, had to comprise three syllables and provide at least one second of speech for the system to collect enough information to create a robust voice print. Behind the scenes, the three samples were superimposed, the background noise extracted, and the voice print completed, all within a few seconds. This procedure is repeated for each prompt and response, until enough voice prints are created to provide the desired level of security.

Subsequent interactions with the system, which involved information access, were accomplished much more quickly. The system recognized the passphrases almost immediately. Recognition time, we learned, has improved dramatically with the availability of increasingly powerful processors. Verification processes that would have required minutes just a few years ago may now be accomplished in a couple of seconds, or less.

At present, OTG is concentrating on a handful of relatively familiar, established applications. For example, OTG's SecurPBX is used to protect long-distance trunks, voice mail, interactive voice response systems, and maintenance ports by authenticating users before allowing them access to an organization's telecommunications system. SecurPBX, notes OTG, is designed to prevent toll fraud, as opposed to merely detecting it. In addition, OTG has developed a suite of customizable automated help desk solutions, collectively known as HELP YOURSELF, which are designed to help users perform password reset, token administration, and profile recovery over the telephone.

SECURE TOUCHPOINTS
Additional applications, whether developed by OTG or other biometrics specialists, are easy to imagine. For example, speaker verification could support remote banking and prepaid telephony, expedite call center interactions, institute more secure virtual private networks (VPNs), and provide more secure touchpoints within CRM (customer relationship management) applications. This last possibility is especially interesting. With secure touchpoints, be they conventional telephones or packet telephony devices or microphone-equipped PCs, potential customers may have more confidence in e-commerce, more readily entering into transactions. Thus, speaker verification may not only protect against losses attributable to security breaches, it may save time and money by automating help desks, promoting self-service generally, and it may broaden the acceptance of revenue-generating e-commerce applications.

Given these possibilities, speaker verification is bound to attract more attention, especially since speaker verification technology is maturing, appearing in commercially viable solutions. Accordingly, I encourage readers of Communications Solutions to learn more about speaker verification, which we can describe in but limited detail in this brief column. Try visiting the Web sites of the vendors specializing in speaker verification applications. Many of these sites present FAQs addressing such points as speaker and language independence; how speaker verification systems may foil attempts at circumvention by means of tape recorders or speech synthesizers; the ability of systems to verify users even if users are stricken with colds; the place of speaker verification in multi-layered security systems that combine multiple biometrics types; and many others.

Vendors active in speaker verification include Voicevault (formerly Buytel, known for its Phonekey, Netkey, and Webkey products), which appears at www.voicevault.com; Nuance (which offers the Verifier system), at www.nuance.com; Intervoice-Brite (which offers SpeechAccess), at www.intervoice-brite.com; Speechworks (which offers SMARTRecognizer), at www.speechworks.com; and of course OTG (at www.otg.ca). Other vendors active in this space include T-Netix (http://t-netix.com), Keyware (www.keyware.com), Persay (www.persay.com), Anovea (www.anovea.com), Veritel (www.veritelcorp.com), VeriVoice (www.verivoice.com), and Vocent (www.vocent.com).

[ Return To The November 2001 Table Of Contents ]