Stephen Wilson - Lockstep Consulting - Sydney 29 January, 2009, 19:33 0 likes

Nick said that "as far as can be proved everyone's voice is unique."

Sorry but once again we see here a serious misrepresentation of biometrics.  The term "unique" in the context of biometrics is utter hyperbole.  Even if it were true that voice patterns are "unique", the critical question is whether a biometric mechansim is capable of telling all voices apart.  And the truth is that no biometric apparatus is perfect.  In fact, most biometrics fall so far short of perfection that I believe use of the word "unique" constitutes false advertising.

All biometrics commit two sorts of error.  A False Match (or False Accept) is when the apparatus is presented with an imposter but wrongly confuses them for an enrolled user. And a False Non Match (or False Reject) is when the apparatus fails to recognise a legitimate user.  It's worth repeating, all biometrics commit both sorts of error to some degree.  So already the claim of "uniqueness" is wobbly. 

The False Accept Rate (FAR) and the False Reject Rate (FRR) can be traded off to produce a sort of performance compromise that makes sense according to the application.  If the application is access control on the door to a nuclear missile silo, then the system will be biassed towards lower FAR because the consequences of admitting an imposter are dire.  But if the application is an ATM, or an e-commerce system, then the proper tradeoff is a tough choice.  Is customer convenience more important than security? 

For voice recognition, typical results are:

When tuned towards security: FAR can be reduced to 0.1% (1 in a thousand) but the FRR rises to 6% (1 in 16 legitimate attempts will be rejected)

When tuned towards convenience: The FRR can be reduced to 3% but the FAR rises to 20% (1 in 5 imposters are admitted).

[Reference:Biometric Product Testing Final Report by the National Physical Laboratory for the Communications Electronics Security Group (CESG) 2001.  Note that indications in the more recent report by Mitre Group for the FBI shows no great general improvement in commercially available voice biometric systems.  Technology Assessment for the State of the Art Biometrics Excellence Roadmap October 2008.]

Finally, the nail in the coffin for "uniqueness" is what's called the "Zero Effort Imposter" assumption, which leads to a systemic over-statement of the security of biometrics.  Pardon me for getting technical, but this is really worth understanding.  All standardised biometric testing uses the assumption that False Matches are the random results of instrumentation error and algorithmic imprecision.  That is, the testing assumes that an imposter has made zero effort to fool the system.  As stated in the Mitre/FBI report of October 2008: "When a dedicated effort is applied toward fooling biometrics systems, the resulting performance can be dramatically different". 

That is, the published performance specifications for biometric security systems do not apply to people who are actually trying to break in. Where does that leave banks when trying to evaluate these solutions for their ability to resist attack?

Cheers,

Stephen Wilson, Lockstep.

Gary Wright 29 January, 2009, 20:04 0 likes

Wow Stephan what a detailed and informative responce!

Thank you so much with for this and i am sure Nick would welcome a conversatation with you

Nick Ogden - RTGS.global - London 30 January, 2009, 11:23 0 likes

Stephens’s comments are very interesting and to be clear as I said at the meeting no biometric system, including DNA and fingerprints have been tested on everyone, but the probability is that they are unique. All biometric systems have their own individual challenges as well, and for those who heard me talking on Tuesday morning and didn't on Tuesday night laryngitis is a serious software bug for voice biometric systems!

We have developed a highly complex system and have gone through all the challenges of false accept and false reject to get to a system that will give us a 99.6% FTA (first time authorisation). Our platform uses what we call a "voice signature" which is a complex device that uses voice biometrics as part of its overall score to then approve or decline a transaction. We probably, like Stephen, have gone through discussions with various " voice biometric software vendors" who as opposed to delivering a system that works, attempt to pass the buck onto the customer to set FAR's and EER's and FRR, and any other acronym that their marketing department happens to have invented at the time, to try and make their software sound more complex.  Our biometric verification core, which is developed on the Nuance platform who we have a very close development and working relationship and this platform is working 24x7x365 within 300 organisations, today.  Some of the issues that Stephen raises are also the reasons behind why last year, Voice Commerce Group, started to establish a framework for global interoperability on voice signatures within financial services, and why we are members of PCI.   

In 2001 whilst CEO at WorldPay I convinced my Board that we should guarantee Internet payments, which we did, and this protection is still in place today. Today with Voicepay and our voice signature system we are again using our own systems for our own payment processing services and we guarantee our transactions against repudiation. Over the next few years no doubt we will create improvements and refinements to our systems, and also why we have 2 R+D teams working 6 days a week on our future technologies.

Sometimes if you don’t do, you can’t learn, and every day we learn. By having the advantage of our own global customer base from which to draw experience, and from the fact that we know the solution works, we trust it and the fact that we underwrite it financially gives us a lead, and if we find from that real experience that some changes are required, we will be the first make them.