Identification vs. Authentication

It can be useful to distinguish between the concepts of "identification" and "authentication" (sometimes called authorization.) Some types of transactions, such as providing a piece of information to a caller, may require only identification, i.e. the reasonable expectation that the caller is who we think they are, such as the fact that the caller is calling in on a known ANI. Other types of transactions, such as allowing the caller to make a change to their account, or transfer money, may require authentication, i.e. the caller has "logged in" with an account number and PIN, or other higher level of security. Authorizing callers for security access is a way for ensuring that information remains known only to the caller who has provided the correct access information.

Items used to identify the caller typically include account numbers, ANI or phone number entered by caller, and the last four digits of the SSN.

Items used to authenticate callers typically include PINs, date of birth, security questions customized by the caller, voice biometrics, or some combination thereof.

When and Where to Identify and Authenticate

Have the system do as much of the work of identification and authentication as possible
Use ANI when you have it. Offer to save ANI if you can for future reference. When you get to authentication after identification, use weighting on dynamic grammars. If you are verifying an ANI with another piece of information, you don't want false rejects to keep them from getting in.

Make the identification and authentication process as easy as possible and as rigorous as necessary
You don't want to derail a call because the identification process is too hard and long. But neither do you want to compromise security because it's too lax. Striking the right balance can be a challenge, but is vital to the success of the application.

Identification and/or authentication don't necessarily belong at the beginning of a call
Think about what people are doing when they call, how much functionality is accessible without identification, and how much without authentication. In some cases it makes more sense to do identification and/or authentication after the caller selects a task that requires it. The tradeoff is that it interrupts the flow. Caller chooses a function, then has to derail into identification.

Another good reason for doing it up front is to personalize the user experience or segment callers (also see Segmenting Callers and Personalization).

Identification and authentication can be split up
Per the discussion above, depending on what level of security is needed for each option, it may make sense to split up the identification and authentication pieces. Identify, then ask intent, then authenticate if necessary.

Distinguish between information you're collecting for identification and that which you are verifying
When you find an account with a single piece of information, generally ANI, and then need to ask another question to authenticate, let the caller know that's what you're doing. It let's them know you know who they are but are asking for security reasons.

  • To verify I have the right account, say or enter your house number now.

Voice Biometrics

Recent methods for collecting voiceprints and matching them to callers provides another means for automated caller identification. Some systems require callers to enroll using the exact phrase they will speak to the system; others allow callers to enroll using an enrollment script but without requiring callers to speak a set identification phrase.

For the process of speaker identification, the system has a set of voiceprints and uses them to attempt to identify who is speaking; for speaker authentication, the caller is claiming to be a specific person and the system is attempting to determine if the caller is who he or she claims to be (Vacca, 2007). It is possible to combine speaker verification with other means of authentication by asking the caller to answer personal identification questions with answers known to the system (for a type of multifactor authentication) or with other authentication factors such as the caller placing the call from a personal cell phone (determined via ANI and comparison with the enterprise database) (Kaushansky, 2006; Markowitz, 2010).

Current speaker identification and authentication technologies are more error prone than purely physical biometric methods such as fingerprint, iris, or face (Jain & Pankanti, 2008). Toledano et al. (2006) found speech verification to be more error prone than fingerprint scanning, but less than signature verification. Until speaker verification becomes more accurate, it will likely be useful only for low-security applications unless combined with other verification methods to achieve multifactor authentication.

References

Jain, A. K., & Pankanti, S. (2008). Beyond fingerprinting. Scientific American, 299(3), 78-81.

Kaushansky, K. (2006). Voice authentication – not just another speech application. In W. Meisel (Ed.), VUI Visions: Expert Views on Effective Voice User Interface Design (pp. 139-142). Victoria, Canada: TMA Associates.

Markowitz, J. (2010). VUI concepts for speaker verification. In W. Meisel (Ed.), Speech in the User Interface: Lessons from Experience (pp. 161-166). Victoria, Canada: TMA Associates.

Toledano, D. T., Pozo, R. F., Trapote, Á. H., & Gómez, L. H. (2006). Usability evaluation of multi-modal biometric verification systems. Interacting with Computers, 18, 1101-1122.

Vacca, J. R. (2007). Biometric technologies and verification systems. Burlington, MA: Elsevier.