Tips for a Successful Voice Biometrics Deployment
"This stuff used to be James Bond technology," jokes Nik Stanbridge, director of product marketing at VoiceVault.
Indeed, the idea of someone speaking on the phone and having a computer recognize him used to be the stuff of Hollywood. The same goes for optical, fingerprint, and full-body scans, all of which are employed at airports in some cities.
Voice biometrics technology has been steadily gaining mainstream awareness among companies with advanced IVR systems. In their sales pitches, vendors are focusing less on tech jargon and more on business benefits. They're not up against as much fundamental suspicion about their offerings. So, let's say you're one of those convinced businesses. You've decided to buy a voice biometrics solution. What can you expect from the process, and how can you get the most out of it?
Naturally, all deployments are different. This holds true for almost all software. It becomes unique once it becomes part of a bigger ecosystem, call centers particularly, and voice biometrics especially. Voice biometrics has to be carefully tailored. The voiceprints that make up the core of its authentication processes are heavily shaped by the regionalisms and demographics of the end user base, as well as modality. A company that receives calls mostly from Texans who are 65 and older would have to be tuned very differently from an organization that gets mobile app hits from California businessmen and women.
Selecting a vendor marks the beginning of a long conversation and process. To build a successful voice biometrics deployment, a company must know who its customers are, what its business value is, and how its information is secured. Therefore, it is critical that all appropriate stakeholders be part of the conversation.
The most obvious stakeholder in the selection process is the business team, which generally sets the criteria for success: reduced costs, better customer satisfaction ratings, etc. Likewise, the team generally charts the solution strategy at the highest levels. Composed of chief executive officers, financial officers, vice presidents, and marketing folks, the team often takes the lead in the vendor selection process as well.
To help define the technology specifics of implementation in a business's contact center environment, one can expect to have at the table the information technology team, whether it is in house or part of a team from a third-party vendor or consultancy. This group also might include speech scientists and user interface designers, who are responsible for integrating the voice biometrics into the system architecture.
Lawyers or compliance experts might be needed to make sure that a system is created within the required legal framework. This is particularly important in the healthcare and financial sectors. To help understand and target the customer base in the implementation process, contact center managers might also be included. They can help educate the agent pool as well.
Likewise, a company's security team needs to be present to work through data security and risk assessment. Although key players in a voice biometrics rollout (since a voiceprint is a new form of authentication), the security team is often forgotten in stakeholder conversations, according to Jenny Burr, senior manager of speech science for Convergys. "The security folks are very important to have from day one," Burr says. "It's one of my lessons learned. Having them there, and engaged, is very important."
Burr recalls a deployment in which the security team was not included in the conversation about implementation until quality assurance (QA) testing. The security department became startled when it found out that a new authentication form was about to be rolled out without its input. The result was unnecessary project delays and rising costs. "We had actually gone through several rounds of QA," Burr says. "[Security was] like, "Wait a minute. We don't know what's going on with this project." At that point, we had to educate them as to what we were doing, what voice biometrics would do for them, what the different false acceptance and reject rates mean to them…. We had to do a lot of catch-up with them to get them on board with what the technology is and how it should be implemented for their clients."
Those kinds of delays are avoidable. Most of the security measures, which are used to secure biometrics data flowing through a contact center, are protected in ways that are entirely familiar to security teams. Voiceprints, for instance, are generally encrypted using the same algorithms already used within existing security systems. "We don't use proprietary techniques," says Julia Webb, executive vice president for sales and marketing at VoiceVault. "We use what the industry adopts. So if you're using [Microsoft] SQL Server Enterprise to store the voiceprints, which is one common method, then single-server enterprise has encryption that's built into it. So that's utilized. If it's an Oracle database, for instance, we use theirs. It's whatever is readily available."
One could even use plain old Windows encryptions, says Valene Skerpac, president of iBiometrics, a research, development, and consulting group focused on security and authentication. Skerpac adds that voiceprints can be given securely over a phone line by tunneling with secure socket layer (SSL) certification.
That voice biometrics requires no special encryption is important from a security and design perspective for two reasons. First, it is non-disruptive to an existing system's workflow, requiring no extra layers of security. Second, from a compliance standpoint, it makes it much easier to use standardized and commonly accepted encryption methods with broad use and familiarity—ones with long legal precedent where standards like the Health Information Portability and Accountability Act (HIPAA) are concerned.
Once a system is introduced into a user base, the big question becomes: How is its success defined and maintained? In general, success is defined by metrics such as false reject rates (the number of people who are incorrectly denied access to their accounts) and false acceptance rates (the number of people able to gain access to accounts that aren't rightly theirs), as well as by cost reduction figures or efficiencies defined in a service-level agreement between a biometrics vendor and its customer. Defining these, particularly the false negative and positive rates, requires a delicate dance.
"We had a company that didn't understand the false acceptance and false reject rates," Convergys' Burr says. "They put the demands on the product and the implementation, saying it had to have 99 percent accuracy and not let any impostors in. Of course, we don't want to do that [let impostors in], but you have to set an appropriate false accept versus a false reject rate. One affects the other."
When a user makes an utterance in a biometrics system, it is scored and then is either accepted as a match or rejected. If that threshold gets set inappropriately high, there would be few, if any, false accepts, but there will also be a much higher number of false rejects. Likewise, if the threshold is set too low, the system might incorrectly give access to users who aren't whom they claim to be. Finding a balance between the two means having a strong sense of who is using the system, why, and finding the right point at which no, or almost no, false accepts are made, while letting a very high number of people positively authenticate. After all, if too many people are rejected, they'll end up talking to agents and driving up contact center costs.
These thresholds may need tweaking over time, too. After a system is initially tuned, which is to say when the sweet spot between false accepts and rejects is found and the system is optimized to deal with the demographics of its user base, it will require periodic tuning to ensure that it maintains a high standard of quality. Vendors address this challenge differently. Most offer intensive real-time monitoring and statistical analysis of calls coming in to a contact center. Some, however, tune only when red flags crop up in the system (as outliers are encountered), while others provide scheduled tuning.
Burr suggests a users' test every 12 to 18 months. "If you have any special considerations, like a new user population, then you might as well," she says. "You might do authentication and impostor testing sessions periodically, especially as you're doing your rollout."
Stanbridge says, "We typically set thresholds in our SLAs that commit us to optimizing after, say, six months or 20,000 or 60,000 authentications. For us, it's about the amount of use the system is seeing, not about time. It's about verification and enrollments."
One of the biggest challenges in voice biometrics deployment, however, centers on marketing and education, specifically getting the customer base to opt in and use the system. Although voice-printing technology has been around for more than a decade, and speech technology has been around in some form for more than half a century, the idea of using your voice to authenticate your identity is new for many users. Many people simply have not had much contact with the technology.
"Voice biometrics technology is new in terms of deployments," Stanbridge says. "There aren't very many out there."
Chuck Buffum, vice president of authentication solutions at Nuance Communications, says, "If you just turn on [a biometrics solution] on some Tuesday, and a person unwittingly gets asked to speak their pass phrase and doesn't know what it is about, you're going to have absolute chaos."
Consequently, in the absence of broad familiarity, education has to be a big part of any deployment strategy. Many of the consultants, vendors, and analysts interviewed for this article believed that significant resources had to be committed to making sure that there was good uptake. Often, they mean leveraging contact center agents and salespeople to make personal connections to ensure customers know how to use voice biometrics solutions and understand the benefits. This can be done in an organic way that creates a good user experience, too.
For instance, say a banking customer calls into an IVR to get account information. He is asked for his account number, but, like many people, he doesn't know it off the top of his head. So he asks for an agent. The agent begins a process of verifying the caller, asking for a PIN number, identifying information, and so on. During that conversation, the agent might mention that the bank is offering a new service that uses voice biometrics to verify a user's identity. It works with only the customer's voice. There's no need to remember a bank account number and no need to wait in a queue for an agent. It's much faster and it's secure without the need to re-verify. The overall call experience will improve.
At that point, with this kind of a pitch, the benefits are obvious, since the user has likely experienced some added inconvenience, and would probably like to skip it the next time he calls.
"You can say, "Hey, I've got an offer. It's going to take you less than 60 seconds to enroll and register for this system, and it's going to make all your service calls easier," Buffum explains. "You get a surprisingly high take rate from that. People are interested in security, but they are committed to their own convenience."
Agents also are important in this pitch context because they can be used dynamically to manage user expectations and address concerns. Whenever voice biometrics is explained, privacy concerns often immediately follow. People sometimes worry that their voice might be captured and reused elsewhere to steal their identities.
"These privacy concerns are not specific to voice biometrics," VoiceVault's Webb says. "It comes up in fingerprint deployments and facial recognition. You definitely need to address that to encourage adoption of the solution."
Webb believes that in many deployment cases, it is important to have agents on the front lines explaining that a voiceprint is just a mathematical representation, as opposed to something that can be reused in "a one-to-many, Big Brother-type scenario," she says.
Agents also provide a great opportunity to address one of the big challenges in getting good verification results: getting clean audio.
By this point in the technology development, most vendors have become adept at dealing with users who have colds, differentiating between twins and family members, and a number of other conditions that salesmen and saleswomen love to parade in sales meetings and in proof-of-concept demonstrations.
More difficult to circumvent are severe channel issues, such as poor cell phone reception and extremely noisy background environments. Voice biometrics vendors have techniques to counter those, but they can be pushed only so far.
And, in all fairness, even humans have a hard time with recognition in similar circumstances. That said, as a rule, the cleaner the audio, the stronger the verification.
When an agent is explaining a biometrics solution, she can help manage expectations around what contexts are appropriate for verification. That way, users don't become unreasonably frustrated when they can't verify their accounts with one bar of mobile service on, say, a busy street in New York, with jackhammers pounding pavement, taxis blaring their horns, and lunatics screaming about low rates on new cell phone plans in the background. If they understand the challenges, users in these types of scenarios might even avoid calling altogether; instead, they might wait to find themselves in a more suitable environment before trying to gain access to their bank accounts over the phone, which might, in turn, mean better results from the solution.
Often, the majority of false negatives that a system experiences—where users are denied access to their accounts even though they are who they say they are—are driven by just a few outlier voiceprints, says Almog Aley-Raz, former CEO of PerSay, which was acquired by Nuance, where he is now vice president of voice biometrics. This means that avoiding issues around just a few voiceprints could have noticeable effects on overall performance rates.
In addition to using agents, companies might consider other outreach initiatives that involve targeting calling, email blasts, and direct mailing.
Aley-Raz points to PerSay's deployment with Bank Leumi as an example. During the initial launch, among the many modes of outreach it pursued, the Israeli bank cleverly used the bills and monthly statements that were already going out as an opportunity to include teasers and informational material about the coming voice biometrics features in its system. This was particularly important because Bank Leumi was switching to a text-independent system and eliminating authentication questions. Customers had to be reassured that their accounts were going to be safe even though they weren't being asked the same questions to which they had grown accustomed.
Bank Leumi's efforts to get customers enrolled were successful. According to Aley-Raz, the bank has more than 400,000 voiceprints on record, which is much more than 5 percent of Israel's entire population.
Aley-Raz also points to short message service (SMS) texts as a good way to reach customers because they can include links that bring users directly into the system. Likewise, texts can also be used as a security check in verifying a user. An SMS text can be sent to a mobile phone on file to notify the customer that a voiceprint has been created. That way, if a print is created by an impostor, the true user will be made aware.
That said, a sense of balance has to be achieved in considering any outreach strategy. It is important to bear the goals of a system in mind when planning for a deployment's outreach.
"When we talked to TD Waterhouse about their deployment, we said, 'Did you think about sending a letter to your brokerage customers?'" Nuance's Buffum says. "They said 'We have 1 million customers but only one in 500,000 ever call me. It costs a dollar to write, develop, stuff, and mail a letter. That's $1 million. That's insane. That's more than we paid for the whole project.' Outreach has to be thoughtful. I'm not saying sending a letter isn't relevant, but it has to make good business sense."
A smart campaign in Buffum's eyes takes a systematic approach. It looks at a given company's customer base, segments it appropriately, and matches a delivery vehicle with the population. Large strategic partners might get a direct phone call from a high-level sales representative, while others will be offered enrollment when they call in, the younger demographics might get texts, and others still might get a proactive email.
"It's important to have an offer to enroll that's applicable to the particular group you're reaching out to," he says.
Whatever the mode of delivery, voice biometrics professionals are convinced that focusing on convenience as a selling point is far more compelling than security, the traditional benefit associated with voice biometrics. One reason for this might be that in many cases, particularly in the financial services industry, end users are shielded from fraud. Most credit card companies and banks offer protections from identity and account theft, so individual customers don't end up with the associated risk. Rather, it is something that is taken on by the financial enterprise.
"I feel like if someone gets my credit card information, for instance, I'm not responsible," Skerpac says.
"I don't have to pay anything," she adds. "People are not as careful. So they think it's a bother. Of course, they don't want their information stolen, but they'd behave differently if they had to pay."
In other words, an argument about added security likely would have little sway over a financial institution's end user. The risk belongs to the institution. Why should the customer have to deal with the hassle of learning a new system for added security that provides no tangible benefit?
At the end of the day, few users want to be in a self-service system, be it an IVR or something else. Most want to get in, resolve their problem, or get whatever service they need, and get out. A company would thus do better to use convenience factors in its outreach. This is important because, as Stanbridge succinctly says, &"ROI is always predicated on getting people to enroll."
Third-Party Test
"I suggest you get a third-party test site," Skerpac says. "If you really care about checking what the vendor says, get a third party involved and see what they say. You should do it for your set-up.
"So, for instance, a vendor like Nuance says, 'I've got this big engine and all these models, and it's going to fit your thing.' But, to be honest, what I've found is that if you make it more for your environment instead of everyone else's, you're going to do best. So there's a data collection that has to be done. It can be onerous not to pay attention to things. If performance is important to you, you'll want to check not just how the engine works, but also how it's performing in your specific context. If you use a third party, they'll facilitate that."