1. Technical Field
The present disclosure relates to user authentication, and in particular, to a system and method for user authentication using non-language words.
2. Description of Related Art
Certain organizations engage in sensitive transactions, such as banks, brokerage houses, the military, intelligence services and other entities. Some of these services deal with information that may be personally, financially or even legally sensitive. Many of these transactions are conducted from remote locations using communications technologies such as the internet, land based phones (e.g., Voip or POTS), cell phones, IP based phones, using ATM machines and the like. Additionally, remote authentication is sometimes employed to control access to facilities or buildings; for example, an organization may have several facilities located throughout the world with each having several entrances. Security protocols to these various facilities or entrances may include authentication technology, such as card access, biometric devices and the like. In some situations, it is advantageous to have the authentication servers located centrally such that the data used to authenticate a person is centrally protected and managed.
Verifying that users are entitled to access is sometimes done using a two-factor system of authentication. A cell phone or other mobile device is enrolled in the system and the system associates the phone number with the name of the owner. When a transaction takes place, the originating number is compared to a list of authorized telephone numbers (via caller ID) and an SMS message is sent back asking to the user's phone to reply with a pin number, which is used to validate and/or authenticate the user's identity.
These pin numbers are sometimes restricted to digits 0 through 9. The small number of allowable characters (10) coupled with a pin numbers of 4 to 6 digits (enough to hold a birth date, for example) make them less than ideal than digital keys (with a usual length of 128 or 256 bits), in certain environments; however, digital keys are unsuitable for use with some cell phones models. Certain cell phone models keep records of messages sent such that the pin number is extractable from previous uses of the system by anyone who happens to acquire the phone or, in some cases, someone who accesses to the phone from a small distance using a Bluetooth compatible device.
Some mobile devices have limited security capabilities because of the limitations of the hardware. Biometric devices, such as fingerprint readers, can be conveniently attached to a desktop computer, but it is unreasonable to expect mobile users to carry bulky models of fingerprint readers around to attach to their cell phone whenever they want to perform a sensitive transaction. Standard industry practice is to send an SMS message to the originating phone requesting confirmation. If proper security precautions are not implemented and the phone falls into skilled hands, security breaches may be possible.
Some proposed security protocols utilize voice authentication. Voice authentication uses a person's voice for authentication. Two types of voice authentication involve: (1) having the user recite the same words used in the registration session during the authentication session or (2) having the user recite some words not recited in the registration session during the authentication session; these two types are referred to herein as registration-word dependent authentication and registration-word independent authentication, respectively. The probability of obtaining a voice match during a registration-word independent authentication session depends, in part, on the length of the sample being matched; and the more time the user speaks, the probability of acquiring enough data to make (or reject) a match with sufficient certainty increases in this type of authentication session. However, other factors also affect the ability to make (or reject) a match, such as the quality of the sound signal. Some voice authentication technologies that utilize a registration-word dependent authentication session need at least 30 seconds of speech to make a match.
Therefore, the parameters of a strong mobile authentication method using voiceprint matching should include a way to keep the subject talking for a threshold amount of time (e.g., at least 30 seconds) and extending the time if, for some reason, more data is needed to verify the match. It should also reject easily discovered information such as the subject's address. It must also avoid using a subject's social security number, since storing and transmitting SSNs create an unacceptable risk for identity theft. The method should also include protections against clever attempts at recording or digitizing the subject's voice beforehand in order to defeat voice-based security.