Voice Authentication in the Future for Online Banking
The science fiction movies from the 1960s had talking computers that interacted with humans. That was considered a far-fetched idea in its time, but the current state of technology for voice biometrics and voice recognition has brought the standard up to a level where banks, including major international entities as ABN AMRO are implementing the technology to augment online banking transaction authentication.
The use of voice authentication for a financial institution provides a second, user-friendly way for the customer to authenticate. Current spending in the entire biometric market is more than $2 billion, with the percentage spent on voice biometrics expected to keep continuing upward in 2007, according to Dan Miller, Senior Analyst at Opus Research.
Miller spoke at the Voice Biometrics Conference in May 2007, he covered some of the reasons that voice biometric authentication is attractive to financial institutions: it offers consistency across multiple channels, it extends strong authentication to mobile devices, it doesn't harm the user's experience, and it's simple.
When institutions look to implement voice authentication, Avivah Litan, a VP and Distinguished Analyst at Gartner recommended, "They should look for easy to enroll cross channel solutions that work with online banking and the call center. They need to find systems that are reliable (in terms of voice recognition) so they should start with internal employee use (generally for password reset applications) and then slowly and carefully roll out to their mass consumer population."
When ABN AMRO was looking for a way to increase accessibility of its customer contact center in the Netherlands, it saw voice authentication as a way to help handle the 35 millions calls it receives per year, with 7 million of those going to live customer service agents, noted Zsolt Kadar, IT Project Manager at ABN AMRO. Kadar also presented at the Voice Biometrics Conference on ABN AMRO's move to voice authentication.
The bank had been using a 5 digit telephone identification code, and it offered one factor authentication. The problem was that customers keep forgetting them and they were expensive to reissue, Kadar said.
The bank is rolling out voice verification for its 4 million telephone banking customers in the Netherlands over the next two years. Customers can use this authentication mechanism on a voluntary basis. The voice biometric computer software verifies whether the voice matches the caller using more than 100 biometric characteristics (pitch, frequency, soft and hard palate, jaw structure, etc). The software is also able to detect recordings, or "replay attacks" said Kadar. A replay attack is when a third party records a customer's account number and attempts to authenticate using the recorded voice of the customer.
"Voice authentication is reliable, but should be complemented with other forms of authentication so that if one method creates a question, the other method helps resolve the uncertainty a bank may have in authenticating a user. For example, if the voice print doesn't match as well as it should, a knowledge based authentication method that asks questions only the individual can answer will help make the determination if the user is legitimate," Litan concluded.
The bank's rollout will begin with customers making balance enquiries, transfers and investment orders via the telephone. The customer says their account number and will not have to remember pass codes. With the help of this technology in combination with voice recognition, the customer is first asked an open question: 'How can we help you'?
The introduction of voice verification was preceded by an extensive period of testing among more than 1,450 people and 30,000 test calls. Customers are ready for biometric authentication, Kadar said, media coverage and use of biometric authentication in other areas, make it more acceptable. A study of users done during the initial introduction found that 83% preferred voice verification over the 5 digit code, 99% would use it for account information, and 73% would use it for money transfer.
What Can Defeat Voice Authentication?
The business case for voice authentication is strong, with a person's voice, you have a biometric authentication ability that doesn't need a second pin number entered. Your voice is yours. A biometric is not just what you know, it's what you are. A voice cannot be altered except by surgery or injury (and puberty). It doesn't require knowledge of or access to private information, such as your social security number. These are all positive points to consider when weighing the pros of voice authentication at your financial institution.
So what can defeat voice authentication? The ABN AMRO rollout tested users with colds, they tested family members, and they also tested twins. Twins were able to get through posing as their twin. Family members with similar physiological makeup were also found to fool the voice biometric authentication system.
Voice verification can fail in two different ways: by allowing a fraudster to get in (false accepts) and by stopping an authorized customer to access the account (false rejects). As voice authentication software is tuned, the two parameters move: tightening the algorithm decreases false accepts, but frustrates a higher number of legitimate users. Loosening the algorithm would make more users happy, yet one fraudster who gains access means a financial institution could lose a lot of money.
If the false reject rate and the false accept rate are charted out, the point at which they intersect is called the "equal error rate," or EER. This is the break where the values of both are equal. This is widely accepted in the voice biometric arena as a measure for gauging particular voice biometrics systems. A good EER would be zero - but the wide range of users and phone systems being used to authenticate a user, it can vary from less than one percent to more than 10 percent under bad conditions. However, the final error rate of a voice biometric system is generally reduced by several orders of magnitude after combining the voiceprint analysis with a second mode of identification (password, PIN number, etc.)