PassMark Security Inc. is adding another layer of authentication to its software portfolio with its purchase of Vocent Solutions Inc.
PassMark is well known for its software that uses customers' computers as an authentication device when they log in to a banking Web site. Having acquired Vocent, it can offer banks the opportunity to authenticate people by voice when they initiate unusual transactions.
"They identify people remotely," PassMark chairman Bill Harris said of Vocent. "And that's exactly what we do, except we do it through the Internet channel and they do it through the phone channel."
The acquisition closed Monday and was announced Wednesday (the price was not disclosed). Mr. Harris said that the Vocent software would be incorporated into PassMark's systems by the first quarter.
People can enroll by providing their phone numbers and saying numbers or a phrase; the sounds are broken down into a mathematical algorithm (the recording is also archived). Mr. Harris said he doubts his customers will require voice authentication for standard access to banking sites, but if someone wants to wire $50,000 overseas, for example, a bank's systems may decide the transaction is atypical for that customer, which may set off the Vocent authentication.
"For this level of risk, we want an additional authentication," Mr. Harris said.
The site will ask if it can place an automated call to the phone number on file. When the person answers, he will be asked to repeat some of the stored words, and his voice will be compared against the previously stored algorithm. This uses the voiceprint as authentication and also requires that the customer have access to the phone he used when enrolling in the system.
Mr. Harris said banks can set up their own set of triggers for the Vocent software. Some may also require it when people call a call center to change their passwords or update their addresses. "For sensitive transactions, we want good authentication," he said.
Vocent's software does not require a perfect voice match, Mr. Harris said. Instead it determines how close the voiceprint is to the original algorithm.
This approach weighs such factors as whether the person has a cold or is out of breath - anything that could affect the voice. The voice comparison is plugged into a risk-evaluation system that also considers other variables - whether the person is using his own phone, for instance.
As online fraud has become more common in the past year, the banking industry has grown more receptive to moving beyond user-name and password authentication. This is called single-factor authentication - using something the user knows.
Two-factor technologies - involving something the user has - are widely recognized as offering better security, but are also seen as more inconvenient because people must have physical possession of a device. Many companies offer small password tokens, which constantly generate a random string of characters that people have to enter as a password when logging in. Critics say these tokens are easily lost or stolen.
With PassMark's current system, banks' customers enroll the computers they will typically use to access their bank's Web site; the bank's systems can later recognize the individual machines, which function as the second factor.
PassMark, of Menlo Park, Calif., also offers two-way authentication, a way for companies to prove that their Web sites are authentic.
This is a growing concern because many fraud artists use fake bank Web sites to trick people into revealing personal information. When users sign up for the PassMark system they select an image that is later displayed by the site when they log in. Bank of America Corp. is making PassMark available to all of its online banking customers, and eventually plans to require them to use it.
The system from Vocent, of Mountain View, Calif., uses possession of the user's phones as a second identifier but goes a step further; its voice-recognition technology will move PassMark into three-factor authentication - involving something the user is.
Though some consumers may find biometrics unsettling, Mark Goines, PassMark's chief marketing officer, said voice authentication will probably be seen as less intrusive than other forms of biometrics, such as systems using fingerprints to initiate payments.
Customers are accustomed to speaking to banks' automated systems, providing their account numbers or other personal information, Mr. Goines noted. This extra layer is "just one more step to using your voice to authenticate yourself," he said.
George Tubin, a senior analyst at the research firm TowerGroup Inc. in Needham, Mass., a unit of MasterCard International, said voice is a good fit for PassMark. "This offers them a way to manage all forms of authentication."
