(2007) Case Study: Phone-based Voice Biometrics for Remote Authentication


Published on

Identity verification and authentication (binding a human to an electronic transaction) have become strategic
business issues. How does a voice biometric system perform for a typical remote authentication business scenario, and what conclusions can we make about the
use of such a system?

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

(2007) Case Study: Phone-based Voice Biometrics for Remote Authentication

  1. 1. Case Study Phone-based Voice Biometrics for Remote Authentication Stephen Elliot, Ph.D., Assoc Professor Purdue University & Andy Rolfe, VP of Development, Authentify Inc. 02/06/07 – ASEC-106
  2. 2. Objective • Objective: — Identity verification and authentication (binding a human to an electronic transaction) have become strategic business issues. How does a voice biometric system perform for a typical remote authentication business scenario, and what conclusions can we make about the use of such a system?
  3. 3. © The New Yorker Collection 1993 Peter Steiner from cartoonbank.com. All rights reserved. … except Authentify
  4. 4. Overview • Briefly giving you an overview of: — Biometric use in security systems — The authentication best practices used — The test methods — Sample data What we are NOT covering in presentation: — Voice biometric or signal processing technology (FFT, HMM, etc.) — Making any statement about the applicability of the technology for your situation
  5. 5. Enrollment – Initial Screen
  6. 6. User Enters Registration Info
  7. 7. User Inputs Phone Number
  8. 8. The End User’s Phone Rings
  9. 9. The User Answers the Phone
  10. 10. The Authentication Process is Initiated
  11. 11. # Key Liveness Test
  12. 12. User Informed of Recordings
  13. 13. Please Speak Confirmation…
  14. 14. User Speaks Confirmation Number
  15. 15. Please Speak Phone Number…
  16. 16. User Speaks Telephone Number
  17. 17. Call Completed
  18. 18. Call Information from User
  19. 19. Biometrics in Security • Biometrics primer: — Biometrics are by their nature statistically based — Biometrics should not be the sole authenticator — Backup methods for those that cannot (somehow impaired) — Still have “first time” (registration) challenge — Quality of implementation critical • privacy, • legal issues • Multi-modal UI not easy
  20. 20. Voice Biometrics • Why voice? — Familiar paradigm; Very user acceptable; “business like” — Multi-factor authentication in one session — Real-time, undeniable contact for remote authentication — Highly auditable — Out of band trusted network — Both physiological and behavioral — Variable, dynamic samples — No hardware deployment or training
  21. 21. Ease of Use & Intrusiveness (previous study) 70.00% 100.00% 60.00% 50.00% 80.00% 40.00% 60.00% 30.00% 20.00% 40.00% 10.00% 20.00% 0.00% Not at all 4 3 2 Very 0.00% Intrusive Intrusive Very Difficult Difficult Neutral Easy Very Easy “I very much like the idea of voice identification. This process surpasses any other method of protecting my identity and SSN that I have seen. BRAVO!! JoAnn W., Financial Advisory Firm
  22. 22. Security Best Practices • Policies define process requirements — Policy will (should) reflect risk profile — Policy must account for risk for each factor of authentication — Policy will define which factors will (should) be used & when • Collect and use as many factors as possible — Allows layering and substitution of factors depending on risks • Fraudster may know everything about you, but does not mean they can answer your telephone
  23. 23. Purdue Study • Why study? — No live system studies available — Implementation specific — Excellent resource nearby (Purdue University Biometrics Lab) — Baseline for future studies • biometric aging, • technology changes, • etc.
  24. 24. Biometric Comparisons International Biometric Product Testing Initiative (May – Dec 2000) by National Physical Laboratory, England [ sponsored by the Communications Electronics Security Group (CESG) ]
  25. 25. System used for Study • This biometric study utilized a commercially available, remote, service oriented security system. • This system is actively being used by many corporations for mainly Internet commerce and financial applications at a rate of approximately 1.5M transactions per month. • The test application was run using this active service environment to best test "real life" performance of the technology. • Test system implementation: — SOA — 2 step application • Registration • Verification — Purdue University lab environment
  26. 26. Service Architecture Engage the user, their computer and their telephone in a synchronized exchange for a strong out-of-band authentication… Users’ Web Session Internet Web Servers Applet End User Corporate Web Site Bind the https XML Web session the computer, the phone and the Person Authentify PBX Service Ctr. Public Switched Telephone Network 555-333-2399 ( PSTN )
  27. 27. Roles & Responsibilities • Authentify responsibilities: — Design and implementation of enrollment & verification voice applications — Operation of the commercial service center in Chicago • Joint responsibilities — Development of the test plan — Data collection and reporting — Data analysis and reports • Purdue biometric lab responsibilities: — Recruitment and instruction of test subjects — Acquisition, operation and maintenance of equipment used by test subjects — Provide assistance to ensure proper testing procedures
  28. 28. Biometrics Lab • The Biometrics Lab at Purdue is designed for research, teaching, and testing • Testing evaluation was approved by the Institutional Review Board at Purdue University • This research is typical of the lab’s partnership with company’s focusing on “applied research” • The lab is part of CERIAS
  29. 29. Test Protocol • Data was collected at the Purdue University Biometrics Standards, Performance, and Assurance Laboratory, in West Lafayette, Indiana. • The experimental area consisted of a room with minimal ambient noise. — Noise that was present was predominantly voices of other people, as the room was utilized for other purposes during the experiment. — Since more than one individual could do the study at the same time and other individuals could be talking, noise conditions were collected during the study.
  30. 30. Phones & Network Providers • The land-based phone was a Vodavi • The Skype VoIP system used a Starplus single line telephone. Linksys CIT200 Skype phone — Land line provided by the university • Cell phone services used: • The Vonage VoIP system utilized a — T-Mobile Linksys phone adapter and Uniden — Virgin Mobile 900 MHz cordless phone. — Boost Mobile — Network utilized was provided by the university — Tracphone — Network Speed 8,600 Kb/s upload / — Simple Freedom Wireless 86,000 Kb/s download
  31. 31. Data Capture • The biometric system consisted of: — Test subject web site where the sessions are initiated and the survey results are captured — Data capture enhancements to session processing — Post processing of voice samples for more thorough test matrix coverage • Used combined speech recognition and speaker verification • Used text prompted verification method (dynamic version of text dependent verification) • Did not use adaptation; did not test identification
  32. 32. Test Data • Tests were automated to enable repeatable measurement of enrollment and verification rates, and to capture the following data: — Subject Identifier — Trial Code (predetermined) — Telephone Number — Telephony Type (Landline, mobile, VoIP) — Telephone Manufacturer & Model — Telephone Location (address) — Signal Strength (mobile phone only) — Background Noise (Low | Med | High) — Background Noise Type (Music | Speech | Noise) — Subject’s Voice Health (Normal | Hoarse | Very Hoarse)
  33. 33. Data Analysis • Data collection occurred in a indoor office environment — Conversational background noise • The test sessions captured all data utilized, so no preexisting sample data was used. • Enrollment templates and verification samples were compared both in real-time and off-line after all test data had been collected. • The combination of real-time sample capture and off-line comparison helps generate a wider range of performance data.
  34. 34. Authentify-Purdue Study Results Same Channel Performance -- Landline Verification vs. Landline Voiceprint 50.00% 45.00% 40.00% 35.00% 30.00% Error Rate 25.00% 20.00% 15.00% Land v Land 9.00% 10.00% False Reject 5.00% 2.93% 3.61% 1.47% False Accept 0.49% 0.49% 0.00% Low Med High Security Level
  35. 35. Authentify-Purdue Study Results Same Channel Performance -- Cell Verification vs Cell Voiceprint 50.00% 45.00% 40.00% 35.00% 30.00% Error Rate 25.00% 20.00% Cell v Cell 15.00% 12.87% False Reject 10.00% 3.26% 2.63% 5.00% False Accept 1.63% 1.08% 1.90% 0.00% Low Med High Security Level
  36. 36. Authentify-Purdue Study Results Cross Channel Performance -- Cell Verification vs. Landline Voiceprint 50.00% 45.00% 40.00% 35.00% 37.43% 30.00% False Reject Error Rate 25.00% Cell v Land 20.00% 15.00% 10.00% 11.90% 11.94% 5.00% False Accept 0.00% 0.00% 0.00% 0.00% Low Med High Security Level
  37. 37. Authentify-Purdue Study Results Batch: Landline Verification vs. Landline Voiceprint 50.00% 45.00% 40.00% 35.00% 30.00% Error Rate 25.00% 20.00% 15.00% 10.00% False Reject 7.10% 5.00% 3.05% 2.73% False Accept 1.64% 0.71% 0.12% 0.00% Med-High High Very-High Security Level
  38. 38. Conclusions • Dynamic sampling is an effective method of supporting multi-factor authentication in a single interaction • Single voice biometric template capture OK for low to medium risk applications when layered • Best to use phone number or channel specific templates for medium to high risk applications • Use known phone number for verification to spawn new enrollment session on secondary device (e.g. use existing landline print to enroll on your new cell phone)
  39. 39. Conclusions • We have got more work to do: — Qualify batch analysis procedures — Cell phone connection quality; how to compensate? — VoIP is worst. Why? — How much do behavioral characteristics play a role? Do subject utterances change when they “know” they are acting as imposter? — How well do biometric templates age? Use of adaptation? — Can we leverage multiple verification engines to obtain a better result? — What role do accents play? Do they only affect reco’, or biometric performance too?
  40. 40. Contact Information Andrew Rolfe Stephen Elliott, Ph.D. V.P. of Development & Operations Associate Professor & Director of Biometric Standards, Performance, and Assurance Laboratory Phone: 773-243-0339 Phone: 765-494-1088 Email: andy.rolfe@authentify.com Email: elliott@purdue.edu Authentify, Inc. Purdue University 8745 W. Higgins Road, Suite 240 401 N. Grant Street Chicago, Illinois, 60631 West Lafayette, IN, 47906 www.authentify.com www.biotown.purdue.edu
  41. 41. Questions? Authentify: Booth 803