News

Speak Up! Voice Boosts Authentication

10/11/2010 12:01 AM Eastern

Many of the identity
and authentication schemes
that are employed today to
add security to applications
and services are actually exposing
our private information.

The basic idea that a secret
is something that is exposed
to as few people as possible
is violated every day. The
idea that “shared secrets” are
a viable method to strongly
authenticate someone’s identity
seems to be considered
the best-practice method for
multi-factor authentication.

In reality, though, a “shared
secret” is an oxymoron —
once you share something, it
is no longer a secret, and if it
is a fact from a publicly available
database, it was not a secret
to begin with.

SHARED SECRETS UNSAFE
If I call my wireless provider
and the customer-service representative
asks me for my
mother’s maiden name, I have
exposed that “secret.” When
I use my telephone-banking
application and it asks for my
mother’s maiden name, I begin
to realize that there are a lot of
people who could successfully
answer that question and supposedly
be “authenticated.”

Anyone in my family (which
is very large — more than 50
people), and a lot of people
who simply know my family,
would succeed in that challenge.
My mother grew up in
a small town, so that is at least
another 200 to 300 people. This
illustrates the problem with
any knowledge factor — if I
can’t remember it, I will fail; if
others know it, they will succeed.

What is multi-factor authentication?
Three different
factors can be used for authentication:
the “knowledge
factor,” or what you know;
the “token factor,” or what
you have; and the “biometric
factor,” or what you are. What
you know can be your username,
password, PIN, mother’s
maiden name, the make
of your first car, etc.; what you
have can be your credit card,
passport, laptop, mobile device,
etc.

What you are is a biometric
such as your fingerprint,
voice, face geometry, hand
geometry, iris scan, etc. True
multi-factor authentication
is, at a minimum, the use of
two different factors. Many
of today’s applications use a
password and a shared secret
— which is really multiple instances
of the knowledge factor
— not true multi-factor
authentication.

True multi-factor authentication
requires the use of at
least two, if not three factors.
This sounds like a difficult
proposition that would add
a lot of friction to consumer
interactions. However, there
are approaches that can be
employed that are easy and
convenient for the user and
easy for the organization to
implement as a Web service.
The use of all three factors in
combination makes for a very
secure interaction to establish
a trusted interaction.

How can that be implemented?
With today’s mobile
phones, which can al l
play and record audio, users
can be strongly authenticated
by providing their password,
then their voice signature in
an application on the mobile
device. The password is the
knowledge factor, the device
is the token factor, and the
voice signature is the biometric
factor.

VOICE SPEAKS VOLUMES
With the use of voice signature,
cable operators can now
not only provide secure authentication
but authorization
to the individual rather than
just to the household. This
paradigm change opens up a
plethora of potential new revenue
streams for the operator,
including delivery of premium
content for TV Everywhere applications.

Voice is the most pract ical
biometric factor because
it does not require a specialized
device, it is always with
you, it can be dynamic, and it
allows for portability across
consumer touch points that
don’t exist with the other biometrics.

With fingerprints, you have
10 chances for re-enrollment
if the enrollment is compromised;
with iris scan, you have
two chances; with hand geometry
you have two chances,
etc. With voice, you can cont
inuously enhance the dynamic
model and re-enroll if
necessary.


Paul S. Heirendt is president
and CEO of St. Louis-based
TradeHarbor.
October
November