Speech Authentication Strategies, Risk Mitigation, and Business Metrics, Page 2
Choice of Verification Strategies—Adaptation
SpeechSecure supports multiple verification strategies, allowing developers to select their preferred balance between call security and transaction speed. This authentication package is now delivered with voice model adaptation where voiceprint models are optimized in deployment using data from successful verifications, enabling the application to adapt to possible changes in users' voices over long periods of time.
SpeechSecure is language independent and does not require a grammar, allowing callers to speak any pass phrase in any language they choose—in fact, the pass phrase doesn't even need to be a real word.
The caller is prompted for a piece of known data (for example, his account number). Speech recognition and verification are performed on the utterance. One-step verification is more convenient than having the user separately identify himself through an account number and then verify his identity through verification of a separate pass phrase. However, because the account number that is uttered is not chosen by the caller—and therefore is not secret—the method is less secure than two-step verification.
Two-step verification operates on two separate passwords. First, the one-step process described above is carried out (in other words, the user speaks her account number, and that is passed through recognition and verification processes). Then, the user is prompted for an additional secret password that she has defined. Two-step verification is more secure than one-step verification because the confidence from verification of two separate passwords is better than that from one password, plus the system is testing the caller's knowledge as well as the voiceprint.
Two-Step Verification with Random Challenge
This is two-step verification where the second password is not defined by the caller; rather, it is a random phrase generated by the application or the developer. This could be a random string of digits or one of several enrolled secret phrases. This method usually requires the use of speech recognition in tandem with verification to verify that the correct phrase or digit string has been uttered. One potential drawback of the digits approach is that it does not require the caller to know a secret password. However, it does protect the system from so-called tape recorder attacks (where an impostor somehow captures the real user's password on tape and plays it over the phone) by ensuring that the user is talking live on the phone.
Text-dependent speaker verification requires that the same password used for enrollment be used for verification. Text-independent speaker verification places no constraints on the verification utterance and verifies or rejects the caller regardless of what they say or which language they use. Text-independent speaker verification requires more speech data than text-dependent speaker verification. However, it requires less cooperation on the behalf of the users, so it is useful for unobtrusive verification of repeat callers.
BPM and SOA
You can incorporate speaker verification into any system architecture using Web services-based integration because the SpeechSecure solution, available via a Web Services interface, includes:
- SpeechSecure Authentication Engine: Biometric software that identifies callers based on unique voiceprints.
- SpeechSecure Server: Web services for use with any speech application platform incorporating voiceprint database management.
Thus, a secure VoiceXML application using speech Web services where a user can speak a free sentence, in English for instance, and receive a French translation, on the same modality (phone) or via another one (PC screen, for example) would be feasible in today's IT enterprise ecosystem . See Reference 4 for a discussion of such an application and Appendix 3 for more on Business Process Management (BPM) and Service Oriented Architecture (SOA).
Identification, Authentication, and Authorization
Overall security involves identification, authentication, and authorization. Here's the shorthand guide:
Identification: Who are you?
Authentication: Prove it.
Authorization: Here is what you are allowed to do.
The three concepts are closely related, but in a security system it's critical that you tell them apart. Conflating the three—running them together, failing to distinguish each from the others—can lead to serious security problems. Fortunately, servers such as Nuance's Verifier that integrates with their speech recognition system can recognizes callers, authenticate them, and give them the appropriate access. More on this subject is available at Reference 3.
Nuance Management Station
The Nuance Management Station offers systems management, administration, and analysis capabilities designed to address the unique requirements of voice-driven services. System administrators and operators can manage and maintain all aspects of their speech systems to help ensure high service availability. Business managers can assess how well the system is delivering on key company objectives. See Figure 1, one of many such reports.
Track and Analyze Business Metrics
Within Nuance Management Station, its ROI Tracker enables call center managers to automatically measure and report in real-time the system's cost-saving or revenue-generating performance against specific success metrics defined during the early phases of the speech application planning process. Call center managers also are able to conduct comprehensive business analysis using historical, trend, and performance data.
Figure 1: A call volume report
Assess Systems Performance
Systems administrators can retrieve data and conduct analysis pertaining to provisioning requirements, service performance, and CPU and memory utilization in order to increase system up time and operational efficiency.