PhoneFactor Inc. is adding voiceprint identification biometrics support to its two-factor authentication services in a move the company says could be used by companies and government agencies to provide a third-factor authentication method to protect highly sensitive systems.
The Overland Park, Kan.-based company, which sells tokenless, telephone-based two-factor authentication, is hoping the new feature will be added by its crop of current customers.
Steve Dispensa, chief technology officer of PhoneFactor, said voiceprint biometrics would be useful for additional verification for high risk transactions at banks, as well as within government agencies and healthcare firms concerned with providing access to systems containing highly sensitive data. So far customers aren't using the new voiceprint authentication service.
The company says the biometric verification uses technology that can measure the unique pitch and rhythm of a user's voice. Once the service is turned on by an organization, users will be prompted to say phrases to set up an accurate voiceprint. Once set up, users must vocally provide a passphrase that matches their voiceprint and then provide a traditional PIN to complete the authentication process.
Dispensia said out-of-band authentication offers protection from man-in-the-middle attacks and keystroke loggers. But experts say some hacking techniques can bypass two-factor authentication.
"Our job is to provide the tool and make it accessible and easy to use," Dispensia said. "The net effect is an incredibly secure system."
Over-the-phone biometric voiceprint authentication is not new. Several companies specialize in voiceprint identification, including Burlington, Mass.-based Nuance Communications Inc., Chicago-based Authentify, Inc., and EMC Corp's RSA security division, which acquired Vocent Solutions, now sells RSA Adaptive Authentication for Phone. About five years ago, some security experts predicted the technology could gain a foothold in call centers and systems support providers. But concerns over cost, accuracy, spoofing attacks and angst over frustrating users combined to hinder adoption.
THE NEW SCHOOL OF ENTERPRISE AUTHENTICATION: IT is under new pressure to reduce sign-ons, defend against insider abuse and secure enterprise accounts. Luckily, security professionals are now equipped with new types of advanced authentication products and processes that can take on these IAM initiatives.
Countdown: Top 5 consumer authentication technologies on the market today: In late 2005 the Federal Financial Institutions Examination Council (FFIEC) issued a guidance stating single-factor authentication was no longer adequate for securing online banking transactions.
Companies need to weigh the problem of user fatigue when deciding how much verification takes place when authenticating, said Mark Diodati, a senior analyst at Midvale, Utah-based Burton Group. Diodati said he likes PhoneFactor's out-of-band authentication method because it can be incorporated fairly easy into a company's current processes if additional identity verification is needed. But fatigued users can result in less productivity or employees could inevitably find a way around authentication procedures resulting in increased risk.
"There's an opportunity for fatigue with any authentication technology," Diodati said. "It's not an easy process for a company to figure out what level of identity assurance they want to provide for access to a particular system or application."
Dispensa said the expense many people associate with biometrics, including voiceprint authentication, could be attributed to the need for deploying and maintaining back-end support systems. The PhoneFactor service is easy to deploy for IT since it is maintained in PhoneFactor's data centers, he said. The additional service will cost between $15 and $30 per user.
"Biometrics has been painful because it has involved the shipping of hardware and new software which results in complex management," Dispensa said. "Now all our customers have to do is check a box in our dropdown menu to turn on voiceprint."
Bank to turn on PhoneFactor for customer verification.
Frank Barbato, CIO of Virtual Bank said he doesn't plan to turn on the voiceprint identification service for use by its customers. Virtual Bank went live in 2000 during the Internet boom and has been dodging attacks and upgrading systems to mitigate threats almost continuously, Barbato said.
The bank began testing the use of PhoneFactor for two-factor authentication to better verify customers' identities. If a customer uses a different machine to log into their account, tries to access their information from a different location or provides the wrong account credentials, the company will lock them out until they are verified via PhoneFactor.
With the testing complete, Barbato said by Feb 2, all Virtual Bank customers will be using PhoneFactor for additional verification under a campaign the bank calls Phone Guardian.
"On the back-end we look at where a client is coming from to determine whether we should issue a challenge," Barbados said. "In the infrequent case where we want more verification, customers will be asked to select one of the phone numbers they gave us to verify their account. We'll call that number and they have to enter the four digit PIN we provided."
Many attacks are targeting the bank daily -- mostly run of the mill SQL injection attempts and cross-site-scripting (XSS) attacks. But Barbados said what concerns him most is the increasing volume of attacks attempting to steal account credentials and with it the rising number of sophisticated attacks; those targeting specific banking clients using social engineering tactics and drive-by attacks attempting to scan a victim's machine for vulnerable Web applications.
"They're getting clever at what they're doing," he said. "The world has changed. We get attacks directly from other countries and we're spending a lot of time and money protecting our clients and our networks."