Protecting Your Handset
By Steve Wallage, Mon Aug 11 11:00:00 GMT 2003
Can voice authentication be the way forward in protecting your handset?
Handset crime continues to be a major problem. Exact figures are hard to come by, and are often out of date. Figures for the UK in 2001, vary from 330,000 stolen phones according to police figures to 470,000 in the British Crime Survey and as high as 550,000 if user survey figures are extrapolated. In London, around 25-35% of all robberies in London are 'phone-only'.
The figures have probably eased as the UK government has created the Mobile Phone Reprogramming Act 2002 to gain a database of mobile phone serial numbers. It has also increased sentences so that those convicted of reprogramming stolen handsets could now be jailed for up to five years. However, the figures remain frighteningly high.
To add to the unpleasantness of being robbed, there is all the additional concern over the criminal being able to access valuable data. This will become an increasing worry as the use of m-commerce grows. It is already an issue in the PDA market. A UK survey by Infosecurity Europe and Computer Weekly shows that 57% of users do not encrypt their handheld data and that 73% of businesses do not have a security policy for handhelds. The survey also showed that 35% of handheld users keep documents and spreadsheets on their handhelds, and 33% keep track of their passwords and PIN numbers with it.
So as the mobile device becomes ever more valuable and home to ever more critical information, how best to protect that data?
Does a PIN Code Work?
The good, old four digit Personal Identification Number is exactly that in security terms - 'old'. Ian Anderton, General Manager at voice authentication and signal company Domain Dynamics, thinks that it has, "had its day."
Although the PIN does offer 10,000 combinations, it has a lot of flaws. Many users don't even use a PIN due to both apathy and fear of forgetting it. Those that do use one, rarely change it. The PIN can also be easily copied.
Voice technology has had something of a renaissance in recent years. Big players have looked to benefit from consolidation and develop network based solutions. Take Scansoft that has now acquired Lernout & Hauspie, Philips Speech Processing and SpeechWorks. The likes of Microsoft and IBM have invested serious R&D money into speech technology. This means that the reliability and accuracy of speech recognition technology has now improved significantly.
Domain Dynamics claim that their embedded solution can offer accuracy rates of over 99% for a one word spoken password. They model the noise environment to ensure that the accuracy is not affected by background noise. They also use filtering techniques to ensure that the speech is recognized even if, for example, the speaker has a cold. The company claims it would be extremely difficult to impersonate the voice of somebody else, and they have minimized the 'false accept' percentage.
There are other potential advantages to voice authentication. Domain Dynamics has partnered with ARM to ensure it can be easily embedded into the chipset. Real time processing of voice can take less than one second, and require less than 25 MIPS of processing power. Other speech technology companies tend to come at this market from the high end networking side, such as SpeechSecure from SpeechWorks, but there would be a number of serious voice authentication players if this market developed.
The two biggest obstacles for voice authentication companies are credibility issues and investment in handset security.
To many users, voice authentication reminds them of funny stories around the Apple Newton and other early models. Users are likely to be very wary over the accuracy and security of their voice, as well as possibly self-conscious about speaking their password.
Investment in handset security affects all technologies vying to offer more than a PIN. Do the vendors, or operators, care enough about this issue or want to go through all the integration and testing issues. Domain Dynamics believe that the 12-18 month product development cycle of the handset vendors makes OEMs and mobile operators a more attractive opportunity. They also see the opportunity to sell directly to enterprise customers with products such as a company smartcard containing a 'voice biometric'.
Anderton at Domain Dynamics sees the first users for voice authentication being the PDA and high end market, and starting at the beginning of 2004.
The Other Options
Unsurprisingly, there are a number of other technologies that seek to do the same thing as voice authentication and offer a step up from PINs. All claim high levels of accuracy based on 'unique' characteristics of the user.
For PDA users, signatures have been proposed as a solution by vendors such as Security Biometrics. The accuracy comes not just from the actual signature but the speed and pressure when doing the signature. The PenFlow engine from Security Biometrics stores the captured bytes in only 200 bytes of storage space and allows personal profiles to be stored on smartcards and tokens. As with voice authentication, there are user concerns over how easily this can be copied.
Fingerprint readers have now been around for a while, and users certainly subscribe to the view that their fingerprints are unique. Vendors include Precise Biometrics. Disadvantages include the additional weight and inconvenience of the reader and some concerns over accuracy.
Another option is using the iris of the eye to identify the user. The accuracy rate is claimed to be wonderful but the cost seems to be prohibitive for many years to come for the mobile industry.
Handset security falls into the position of 'nice to have' rather than 'critical' for many in the mobile industry. It is also unclear who should drive the market - whether it is the handset manufacturers, operators or individual end users and corporate customers. What is clear is that security, even if it is sometimes a perception rather than reality, remains the number one obstacle for mobile applications.
The use of PINs and passwords should not be discounted, as they can be made more secure (for example, by extending to six digits or adding letters) and, after all, are still deemed sufficient for many IT systems. But the usage of more advanced handset security techniques should be seriously examined.
Steve Wallage works and writes for the451. Steve has more than 13 years of experience as a technology analyst specializing in telecommunications.