Case StudyPhone-based Voice Biometrics

for Remote AuthenticationStephen Elliot, Ph.D., Assoc Professor

Purdue University&

Andy Rolfe, VP of Development, Authentify Inc.

02/06/07 – ASEC-106

Objective

• Objective: — Identity verification and authentication (binding a human

to an electronic transaction) have become strategic business issues. How does a voice biometric system perform for a typical remote authentication business scenario, and what conclusions can we make about the use of such a system?

©Th

e N

ew Y

orke

r Col

lect

ion

1993

Pet

er S

tein

er fr

om c

arto

onba

nk.c

om.

All

right

s res

erve

d.

… except Authentify

Overview

• Briefly giving you an overview of:— Biometric use in security systems

— The authentication best practices used

— The test methods

— Sample data

What we are NOT covering in presentation:— Voice biometric or signal processing technology (FFT, HMM, etc.)

— Making any statement about the applicability of the technology for your situation

Enrollment – Initial Screen

User Enters Registration Info

User Inputs Phone Number

The End User’s Phone Rings

The User Answers the Phone

The Authentication Process is Initiated

# Key Liveness Test

User Informed of Recordings

Please Speak Confirmation…

User Speaks Confirmation Number

Please Speak Phone Number…

User Speaks Telephone Number

Call Completed

Call Information from User

Biometrics in Security

• Biometrics primer:— Biometrics are by their nature statistically based

— Biometrics should not be the sole authenticator

— Backup methods for those that cannot (somehow impaired)

— Still have “first time” (registration) challenge

— Quality of implementation critical

• privacy,

• legal issues

• Multi-modal UI not easy

Voice Biometrics

• Why voice?— Familiar paradigm; Very user acceptable; “business like”

— Multi-factor authentication in one session

— Real-time, undeniable contact for remote authentication

— Highly auditable

— Out of band trusted network

— Both physiological and behavioral

— Variable, dynamic samples

— No hardware deployment or training

Ease of Use & Intrusiveness (previous study)

“I very much like the idea of voice identification. This process surpasses any other method of protecting my identity and SSN that I have seen. BRAVO!!

JoAnn W., Financial Advisory Firm

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

Not at allIntrusive

4 3 2 VeryIntrusive

0.00%

20.00%

40.00%

60.00%

80.00%

100.00%

Very Difficult Difficult Neutral Easy Very Easy

Security Best Practices

• Policies define process requirements— Policy will (should) reflect risk profile

— Policy must account for risk for each factor of authentication

— Policy will define which factors will (should) be used & when

• Collect and use as many factors as possible— Allows layering and substitution of factors depending on risks

• Fraudster may know everything about you, but does not mean they can answer your telephone

Purdue Study

• Why study?— No live system studies available

— Implementation specific

— Excellent resource nearby (Purdue University Biometrics Lab)

— Baseline for future studies

• biometric aging,

• technology changes,

• etc.

Biometric Comparisons

International Biometric Product Testing Initiative (May – Dec 2000) by National Physical Laboratory, England [ sponsored by the Communications Electronics Security Group (CESG) ]

System used for Study

• This biometric study utilized a commercially available, remote, service oriented security system.

• This system is actively being used by many corporations for mainly Internet commerce and financial applications at a rate of approximately 1.5M transactions per month.

• The test application was run using this active service environment to best test "real life" performance of the technology.

• Test system implementation:— SOA

— 2 step application• Registration• Verification

— Purdue University lab environment

Service Architecture

PBX

Users’ Web Session

WebServers Applet

Internet

Public Switched Telephone Network 555-333-2399( PSTN )

https XML

AuthentifyService Ctr.

Engage the user, their computer and their telephone in asynchronized exchange for a strong out-of-band authentication…

Bind theWeb sessionthe computer,the phone and the Person

CorporateWeb Site

EndUser

Roles & Responsibilities

• Authentify responsibilities:— Design and implementation of enrollment & verification voice applications

— Operation of the commercial service center in Chicago

• Joint responsibilities— Development of the test plan

— Data collection and reporting

— Data analysis and reports

• Purdue biometric lab responsibilities:— Recruitment and instruction of test subjects

— Acquisition, operation and maintenance of equipment used by test subjects

— Provide assistance to ensure proper testing procedures

• The Biometrics Lab at Purdue is designed for research, teaching, and testing

• Testing evaluation was approved by the Institutional Review Board at Purdue University

• This research is typical of the lab’s partnership with company’s focusing on “applied research”

• The lab is part of CERIAS

Biometrics Lab

Test Protocol

• Data was collected at the Purdue University Biometrics Standards, Performance, and Assurance Laboratory, in West Lafayette, Indiana.

• The experimental area consisted of a room with minimal ambient noise. — Noise that was present was predominantly voices of other people, as

the room was utilized for other purposes during the experiment.

— Since more than one individual could do the study at the same time and other individuals could be talking, noise conditions were collected during the study.

Phones & Network Providers

• The land-based phone was a Vodavi Starplus single line telephone. — Land line provided by the university

• The Vonage VoIP system utilized a Linksys phone adapter and Uniden 900 MHz cordless phone. — Network utilized was provided by the

university

— Network Speed 8,600 Kb/s upload / 86,000 Kb/s download

• The Skype VoIP system used a Linksys CIT200 Skype phone

• Cell phone services used:— T-Mobile

— Virgin Mobile

— Boost Mobile

— Tracphone

— Simple Freedom Wireless

Data Capture

• The biometric system consisted of:— Test subject web site where the sessions are initiated and the survey

results are captured

— Data capture enhancements to session processing

— Post processing of voice samples for more thorough test matrix coverage

• Used combined speech recognition and speaker verification

• Used text prompted verification method (dynamic version of text dependent verification)

• Did not use adaptation; did not test identification

Test Data

• Tests were automated to enable repeatable measurement of enrollment and verification rates, and to capture the following data:— Subject Identifier

— Trial Code (predetermined)

— Telephone Number

— Telephony Type (Landline, mobile, VoIP)

— Telephone Manufacturer & Model

— Telephone Location (address)

— Signal Strength (mobile phone only)

— Background Noise (Low | Med | High)

— Background Noise Type (Music | Speech | Noise)

— Subject’s Voice Health (Normal | Hoarse | Very Hoarse)

Data Analysis

• Data collection occurred in a indoor office environment— Conversational background noise

• The test sessions captured all data utilized, so no preexisting sample data was used.

• Enrollment templates and verification samples were compared bothin real-time and off-line after all test data had been collected.

• The combination of real-time sample capture and off-line comparison helps generate a wider range of performance data.

Authentify-Purdue Study ResultsSame Channel Performance -- Landline Verification vs. Landline Voiceprint

2.93% 3.61%

9.00%

1.47% 0.49% 0.49%0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

50.00%

Low Med High

Security Level

Erro

r Rat

e

False Accept

False Reject

Land v Land

Authentify-Purdue Study ResultsSame Channel Performance -- Cell Verification vs Cell Voiceprint

3.26%

1.08%

12.87%

1.63%

2.63%

1.90%0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

50.00%

Low Med High

Security Level

Erro

r Rat

e

False Accept

False Reject

Cell v Cell

Authentify-Purdue Study ResultsCross Channel Performance -- Cell Verification vs. Landline Voiceprint

0.00% 0.00% 0.00%

11.90% 11.94%

37.43%

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

50.00%

Low Med High

Security Level

Erro

r Rat

e

False Accept

False Reject

Cell v Land

Authentify-Purdue Study ResultsBatch: Landline Verification vs. Landline Voiceprint

7.10%

2.73%

1.64% 0.12%0.71%

3.05%

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

50.00%

Med-High High Very-High

Security Level

Erro

r Rat

e

False Reject

False Accept

Conclusions

• Dynamic sampling is an effective method of supporting multi-factor authentication in a single interaction

• Single voice biometric template capture OK for low to medium risk applications when layered

• Best to use phone number or channel specific templates for medium to high risk applications

• Use known phone number for verification to spawn new enrollment session on secondary device (e.g. use existing landline print toenroll on your new cell phone)

Conclusions

• We have got more work to do:— Qualify batch analysis procedures

— Cell phone connection quality; how to compensate?

— VoIP is worst. Why?

— How much do behavioral characteristics play a role? Do subject utterances change when they “know” they are acting as imposter?

— How well do biometric templates age? Use of adaptation?

— Can we leverage multiple verification engines to obtain a betterresult?

— What role do accents play? Do they only affect reco’, or biometric performance too?

Contact Information

Andrew Rolfe

V.P. of Development & Operations

Phone: 773-243-0339

Email: andy.rolfe@authentify.com

Authentify, Inc.

8745 W. Higgins Road, Suite 240

Chicago, Illinois, 60631

www.authentify.com

Stephen Elliott, Ph.D.

Associate Professor & Director of Biometric Standards, Performance, and Assurance Laboratory

Phone: 765-494-1088

Email: elliott@purdue.edu

Purdue University

401 N. Grant Street

West Lafayette, IN, 47906

www.biotown.purdue.edu

Questions?

Authentify: Booth 803