Visa International’s decision to authenticate its employees through the sound of their voice may presage consumer use in online transactions, Visa and its vendor say.
The card association acknowledged that replacing consumers’ typed-in passwords with voice biometrics is a long way off, if it happens at all. But Vocent Solutions Inc., which it hired to deploy the technology internally, is pushing the idea.
Financial companies have long been fascinated by biometric authentication, but none have introduced a major deployment of the technology, largely because of consumers’ privacy concerns and the high failure rates for all forms of biometrics. It remains to be seen whether Visa’s internal use will inspire others.
Vocent and Visa said in announcing the deal last week that the card company would use voiceprints to automate help desk services for employees. They said in interviews that Visa has completed an internal pilot test of the technology -- letting employees reset their passwords by voiceprint. Visa said the new system will make it cheaper to process the 1,400 password resets it typically handles each month, which cost $20 each.
By next year all 5,000 Visa International employees will be using the technology, logging on to the Visa computer network through voiceprint entered through the telephone.
But the announcement also said that Visa and two-year-old Vocent aim to “develop standards” and “create prototype solutions” that would use the vendor’s voice-recognition software to authenticate cardholders.
“We are working with Visa International to bring voice authentication into e-commerce and m-commerce,” beginning with Verified by Visa, Vocent president and chief executive officer, Chuck Buffum said in an interview. The Mountain View, Calif., company is exploring applications for cellular phones and “hybrid devices” such as computers linked to Palm Pilots, he said.
The voluntary Verified by Visa program, which prompts consumers for a password when they try to buy something on the Internet with a Visa card, could conceivably accept a “voiceprint” in addition to or even instead of a personal identification number, a Visa executive told International Data Group News Service last week.
A Visa spokesman qualified the idea of voiceprints superseding passwords for Verified by Visa as a “far off” possibility. “We don’t see it as replacing passwords in a long while, and maybe not ever. It would be up to the banks,” the spokesman said. Until then, Visa is “keeping an eye on the technology,” and has joined with Vocent in a two-year strategic alliance to explore whether the voiceprints offer a solution that would appeal to its members.
Vocent has sold software that authenticates customers over the telephone to a handful of clients, including an insurance company and at least one bank, but Visa says it is interested in applications for mobile phones and devices and for e-commerce.
Alden Hart, the chief technology officer at Adrenaline Group Inc., a technology consulting firm in Washington, said that voiceprints alone will likely not suffice as an authentication mechanism. “I love its convenience -- the lack of which has always been a problem in authentication,” he said. “But you would probably have to combine it with other forms of authentication that require a higher level of confidence -- for example, a voiceprint followed by a password.”
Unlike PINs, which either match or do not match, voiceprints register in gradations. Instead of a “yes” or a “no,” they generate a likelihood score. Authentication methods can vary for different types of transactions, which carry different levels of risk. Voice recognition could prove adequate for balance checks, but maybe not for funds transfers across accounts, Mr. Hart said.
“It comes down to the application,” he said, “which is the problem with single sign-on that everyone is wrestling with.”
Mr. Alden said that even if voice recognition is accurate, it could be difficult to get customers to sign up, especially for Internet transactions. “We know that it was a horrendous pain enabling people to get electronic wallet capabilities, and that didn’t involve any hardware,” he said. “Even though all PCs come with microphones, almost no one installs them.” (Even Visa has not installed microphones on its PCs, which is why employees are using telephones for their voice authentication system.)
In its work with Visa, Vocent said it will use the model established by the Verified by Visa program, where the merchant triggers the bank to authenticate the customer, and the bank does so immediately and directly (through a pop-up password prompt on the cardholder’s screen, without the retailer’s involvement).
“Verified by Visa is important to e-commerce, and you can apply the same applications to mobile devices,” Vocent’s Mr. Buffum said.
Take the telephone. “There are lots of ways to authenticate customers during telephone transactions, but most are not cost-effective,” Mr. Buffum said.
For example, a retailer could conference-call the bank, which could then prompt the customer for his or her password. “But that would cost 3 cents a minute for the call, and it would tie up the phone lines,” he said. A phone equivalent to Verified’s pop-up window could be a prompt for a voiceprint, which would patch in to the bank’s data network and return an immediate response.
The privacy implications of a company’s collection, storage, and use of a person’s voice have not been worked out. “In order to avoid the privacy issue, a company just tells the customer, ‘I’d like to enroll your voiceprint. Is that OK?’ ” Mr. Buffum said. “In the early days, there will be more people declining, but as time goes on you’ll see a collective benefit.”
There are many ways to capture a customer’s voice, he added. A live agent can ask for it or an automated system can prompt the customer at the end of a transaction. Another “kind of sneaky” method, Mr. Buffum said, is to capture the voice under the umbrella disclaimer, “This call may be recorded for quality assurance,” and simply snip part of the conversation to generate a voiceprint.
Mark Grossman, the head of the technology group at the law firm Becker & Poliakoff PA in Miami, said that any institution using voice authentication should obtain the recorded consent of the caller before taking a voiceprint. “There is no legal answer here -- the law always trails new technology,” he said. “But I would not want to be Wal-Mart, let’s say, in the headlines as ‘Surreptitiously Collecting Voiceprints from Customers Who Called 1-800 Number.’ ”
He added that, though federal law permits one-party consent to record telephone conversations, Florida and other states require the consent of both parties. As for selling or sharing customers’ voiceprints, Mr. Grossman added, “That is a no-no whether legal or not.”
