Banks and other financial institutions are scrambling for the best way to identify their users over the World Wide Web. Passwords aren't the answer, because they're easily guessed or "phished" over the phone from dumb users. Digital certificates may work, but as I've written before, they have a lot of problems. Smartcards, fingerprint scanners, and retina scanners are neat, but nobody has the hardware.
What's the answer? In all likelihood, it's voice identification. Already, at least two companies are working on systems that integrate state-of-the-art voice technology with the Web.
VeriVoice, based in Princeton, New Jersey, has developed a system that uses a Netscape Navigator plug-in and the microphone that's installed on most multimedia computers to perform real-time speaker verification. Although it's still in testing, VeriVoice hopes to sell the system to insurance companies and banks that want to make online services available to their existing customers.
Here's how the VeriVoice system works: When you get your monthly statement from your bank, it will include an 800 number and a unique code number. You dial the phone number, enter your code, and a computer asks you to repeat a series of numbers. The whole enrollment process takes about a minute.
The next time you visit your bank's Web site, you simply type your password, and a popup window appears. The window displays a string of numbers, your account number, and an 800 number. If you're using a multimedia-equipped computer, you simply say the string of numbers aloud and click OK. Your computer digitizes your voice, crunches it down into a small set of "voice vectors," and sends it over an encrypted link to your bank's mainframes. If you don't have a microphone on your computer, you can just dial the 800 number, type your account number on your touch-tone phone, and say the numbers.
The computer then compares the newly recorded voice with the voice that's on file. If it matches, you must be you. Using a different string of numbers for the user to speak every time prevents simple playback cons using audio-cassette recorders.
VeriVoice hopes to sell the system to large customers for US$3.65 per user per year - just a penny a day. That's a lot cheaper than systems like Security Dynamics SecurID card, which costs $50 per year. It's even cheaper than VeriSign's Digital IDs, which cost $6 per year.
VeriVoice recently bought two patents that cover this technology: #5,142,565 and #5,526,465. But Barry Frankel, the company's president, has had a hard time getting a company to sponsor a large-scale test of the technology. So far, only a few hundred people or so have tested it. Drop him a line if you think you can help him.
BBN, meanwhile, is working on its own Web-based voice technology. "[We] do the basic signal processing and spectranalysis on the client side. That gets transmitted at very low bandwidth, 3800 bits per second, to a server where you can do anything you want: verification [or] recognition," says John Makhoul, chief scientist for BBN Systems & Technologies, and manager of the speech and language department.
BBN is working on a demo that uses the company's 40,000-word continuous speech-recognition system to enable users to surf the Internet without using their hands. Called "speak and surf," the demo lets users ask questions verbally, such as "What is Bill Clinton's birthday?" The system will recognize the speech, find proper names, and send the whole query to a search engine like AltaVista.
Makhoul thinks that speaker-verification technology "will be an adjunct to digital IDs. The speaker-verification technology, in my opinion, is still not good enough to be secure all by itself."
I haven't played with either the VeriVoice or the BBN system, but I did have a voice-print lock on my front door in Cambridge for close to seven years. Powered by a puny Z80 microprocessor, the system worked pretty well, even when I had a cold, although it failed miserably when an airplane was passing overhead.
The experience with the voice-print lock taught me something very important about speech-verification systems: They work for some people, but not for others. My friend Jocelyn had a 99 percent success rate getting in the front door; I had a 75 percent success rate. Some people had far worse luck. On the other hand, I've only heard of one case in which one person gained access using another person's voiceprint. That case involved a pair of identical twins. Working together, it took them more than 100 tries over the course of a half-hour to get through the door.
