I am starting this series of truly random thoughts on various identity-related topics with an area that I have – so far – not spend a lot of time thinking about: Identity for Voice. What do I mean by that?
I have my bank accounts, health care insurances (or not), credit cards, etc. Whenever I interact with these companies and organizations through a phone, they typically try to identify me by asking me questions about the identity information they have about me: PIN, social security number, birthday, zip code, maiden name of my mother, last name of my first teacher in middle school and similarly absurd questions. Based on the capability to give the correct attribute value, they consider me authenticated as “me”. A local maximum of absurdity was recently reached in my digital life, when my bank switched to a system where I have to answer at least 2 questions from a list of 10, some of them as ridiculous as “Where does your next relative live?”.
There are times, where things get a little more fancy. One example is using caller ID as a means to identify the phone I am calling from. Not only is it quite dubious in my mind that this is a good way to authenticate. Even worse is the fact that there are plenty of ways to fake the caller ID system.
Beyond that, we also have voice recognition (which might get quite good), but there is always the option of a tape recorder and voice synthesization technology. Also, there are call-back mechanisms.
Another problem is the potential for phishing through voice based systems. To address this, there would need tobe a way to authenticate the provider (i.e. the bank, insurrance company, etc.) to the caller, which is – to my knowledge – not easily possible at all at this time.
Quite obviously, I am not really happy with identity in voice UI land. While this might be ignorance on my part (there have to be quite a few folks out there thinking about solutions to this problem), I think that the distributed-services-and-federated-identity crowd that I am working with mostly, is equally disconnected from these problems.
So what can we do about this? First of all, get smart about the the voice ID problems. I have started to talk to a friend of mine working in this area, and he gave me a lot of interesting entry points into the world of voice UI. Beyond that, I suppose we might have quite a few ways to extend security:
- Integrated multi-factor authentication: Voice print, caller ID, call back and attribute knowledge are – by themselves – insufficient. A combination of these might be sufficient for low risk transactions.
- Increased integration of electronic and voice technologies: Authentication could be done through a web site (based on strong crypto). The web site would then issue a single use, time limited password, that would serve as an additional authentication factor. There are quite a few technologies available today that I would put into this category, including SMS based authentication schemes for cell phones.
- Better Meta Data with each call: If we could transmit meta with each call (e.g. proof of posession of a private key), we would immediately increase the level of trust I could have in a voice communication. While traditional telephones do not offer any reasonable extension points, cell phone or – eve more so – VoIP system can send additional data through a data channel.
An additional meta data channel with each call would be – as far as I am concerned – the best solution. This would allow us to tie the authentication for the voice UI into cryptographically strong identity techniques.