Computerworld

Q&A with Samir Nanavati: Where Voice Authentication Fits

November 10, 2003
Q&A By Kym Gilhooly

Where does voice authentication stand in the adoption cycle? Voice technology has been around longer than computers; [the government and other researchers] have been measuring voice through telephones and charting pitch, tone and cadence for years. In commercial use, we're relatively early in the adoption cycle. The technologies over the past 20 years have developed steadily; there have been no leapfrog, breakthrough-type developments. At the stage it's at right now, you have both consumer and employee deployment, but there's no widespread deployment or huge user populations. You don't have hundreds of thousands of users or employees calling in and identifying with voice; you have tens of thousands.

In what kinds of implementations does a voice authentication application make sense? The ideal application for voice is any situation where you're identifying users over the phone and where the ROI for the biometric system itself is going to be either with password reset, because users aren't going to need passwords, or where people don't like using a certain system so they physically go into a branch office for customer service, raising costs. It's also valuable if, through voice authentication, you get a person to like using a system more, because that increases customer satisfaction. The characteristic you're looking for is where you have a relationship with the customer, where they call repeatedly, and where you're going to decrease costs or increase revenue and customer satisfaction.

You can use voice in brick-and-mortar locations, but there are technologies that heavily compete with that, especially if there's a lot of background noise. If you had 10 turnstiles into a building, the difference in costs between fingerprint and voice wouldn't matter, so you'd probably choose something other than voice. But if you had 3 million e-commerce customers and were looking at a $4 microphone and a $50 peripheral fingerprint device, that's where you'd see the cost difference pointing toward voice.

How does voice authentication stack up against other biometrics? People generally want to say that voice is less accurate. It's true there's more variability in capturing the voice -- background noise, differences in quality among phones -- and that makes it harder to record the matches. But if you look at three key metrics -- failure to enroll, false acceptance and false rejection -- the best voice system will outperform the worst fingerprint system. That either means that voice is pretty good or some fingerprint systems are pretty bad, both of which are true. That means you have to look closely at vendors and their specific implementations.

The benefit of voice authentication is that it's able to capture a sample with virtually no hardware costs. Here, voice comes out far ahead of all these other biometric technologies because with them, you almost always need to buy something special, whether it be a fingerprint reader, a hand geometry unit, an iris scanner or desktop camera. So from an acquisition standpoint, it stands up very favorably. There's also another factor, which is perceived intrusiveness. No matter how well the technology works, if people don't want to use it, it's not going to be effective.

What overall effect has 9/11 had on the biometrics market? What 9/11 did was bring biometrics to the front page. IT directors and security directors now understand the strengths and weaknesses of biometrics. What 9/11 didn't do was suddenly put hundreds of millions of dollars in people's budgets to spend on biometrics. It has, however, increased the interest level and the number of pilots and test deployments, and it's driven a lot of the attention to the government sector.

How are privacy and legal issues impacting biometric implementations? Biometrics is where privacy, legal and business issues all collide. Much of the legal debate centers on who owns biometric data, and that ultimately boils down to the privacy issue, because people view [a biometric identifier] as their own. However, many businesses view it as they would an address, or how much money someone makes -- it's information that's very much available and something you can buy. Right now, there's no federal legislation that governs the use and resale of biometric data. That's in the works, and there are certain states that are more proactive than others.

But we look abroad to try to get a sense from countries that are more progressive in privacy legislation -- for example, Canada and the EU. When we're developing systems, we try to adhere to the strictest guidelines, because ultimately, if you look at the costs of deploying a large-scale system -- hardware, software, costs to enroll -- you're not going to want to find out that the way you collected that data is no longer valid.

Beyond [privacy policy disclosure], there are architectural issues that relate to the data; for instance, what other information do you store with the biometric data and how do you secure the data that you're storing? This came up on one project. Everyone was concerned that encrypted biometric data stay encrypted when it was moved for processing, that the facility was secure when the data was decrypted for processing and that the working copy was destroyed when processing was finished. The problem was, at the end of the process, they sent the yes/no result to the Web site that was using the data, but that was not encrypted.