l|||||||||||||ll||l||||||||l|||||||||||||||||||||l||||||||||l||||||||l||||||||||||||||||||
`
`US 20030221125A1
`
`(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2003/0221125 A1
`Rolfe
`(43) Pub. Date:
`Nov. 27, 2003
`
`(54) USE OF PUBLIC SWITCHED TELEPHONE
`NETWORK FOR AUTHENTICATION AND
`AUTHORIZATION IN ON-LINE
`TRANSACTIONS
`
`Publication Classi?cation
`
`.... .. H04L 9/00
`(51) Int. Cl.7 .
`(52) US. Cl. ............................................................ .. 713/201
`
`(76) Inventor: Andrew R. Rolfe, Itasca, IL (US)
`
`(57)
`
`ABSTRACT
`
`Correspondence Address:
`WELSH & KATZ, LTD
`120 S RIVERSIDE PLAZA
`ZZNI) FLOOR
`CHIC AGO, IL 60606 (Us)
`
`(21) Appl, No,:
`
`10/155,821
`
`(22) Filed:
`
`May 24, 2002
`
`A system for authentication and/or authorization Which
`incorporates tWo communication channels, and at least one
`of third-party data sources, geographic correlation algo
`rithms, speech recognition algorithms, voice biometric com
`parison algorithms, and mechanisms to convert textual data
`into speech. Asite visitor’s identity can be veri?ed using one
`or all of such features in combination With a visitors address
`on one of the channels.
`
`stm
`1o
`
`'éé'r'viée
`Provider
`
`o
`
`‘
`
`elephone
`
`46
`
`'
`
`Public Switched Telephone Network
`44
`
`TWILIO, INC. EX. 1011
`Page 1
`
`

`
`Patent Application Publication Nov. 27, 2003 Sheet 1 0f 4
`
`US 2003/0221125 A1
`
`om
`
`mm
`
`836m
`
`625E
`
`3
`
`@3500‘
`
`mcozqywh
`
`FmSmE
`
`E
`
`
`
`{0252 22053 @2255 255
`
`
`
`
`
`TWILIO, INC. EX. 1011
`Page 2
`
`

`
`Patent Application Publication Nov. 27, 2003 Sheet 2 0f 4
`
`US 2003/0221125 A1
`
`Site Visitor
`
`Site Visitor
`Computer
`1_4
`
`Authentication
`and/or
`Authorization
`Service
`Site
`§§
`
`Redirect Model
`Figure 2A
`
`TWILIO, INC. EX. 1011
`Page 3
`
`

`
`Patent Application Publication Nov. 27, 2003 Sheet 3 0f 4
`
`US 2003/0221125 A1
`
`Site Visitor
`
`Site Visitor
`Computer
`M
`
`Target
`sslge
`
`__
`
`E
`
`Authentication
`and/or
`> Authorization
`
`Service
`Site
`
`Server - to - Sewer Model
`Figure 2B
`
`TWILIO, INC. EX. 1011
`Page 4
`
`

`
`Patent Application Publication
`
`Nov. 27, 2003 Sheet 4 0f 4
`
`US 2003/0221125 A1
`
`mm
`
`m+
`
`m @EmE
`
`3, \
`
`
`
`
`
`
`
`{oémz @8533 $52.30, 235
`
`TWILIO, INC. EX. 1011
`Page 5
`
`

`
`US 2003/0221125 A1
`
`Nov. 27, 2003
`
`USE OF PUBLIC SWITCHED TELEPHONE
`NETWORK FOR AUTHENTICATION AND
`AUTHORIZATION IN ON-LINE TRANSACTIONS
`
`FIELD OF THE INVENTION
`
`[0001] The invention pertains to automated on-line
`authentication and authorization systems. More particularly,
`the invention pertains to such systems, Which incorporate
`speech processing.
`
`BACKGROUND OF THE INVENTION
`
`[0002] The Internet offers the prospect of expanded,
`World-Wide commerce, e-commerce, With potentially loWer
`cost to purchasers than heretofore possible. HoWever, the
`lack of direct person-to-person contact has created its oWn
`set of problems. Identity theft is a problem threatening the
`groWth of e-commerce.
`
`[0003] E-commerce groWth Will only occur if there is a
`trusted and reliable security infrastructure in place. It is
`imperative that the identity of site visitors be veri?ed before
`granting them access to any online application that requires
`trust and security. According to the National Fraud Center,
`its study of identity theft “led it to the inescapable conclu
`sion that the only realistic broad-based solution to identity
`theft is through authentication.” Identity Theft: Authentica
`tion As A Solution, page 10, nationalfraud.com.
`
`[0004] In order to “authenticate” an entity, one must:
`
`[0005] 1. identify the entity as a “knoWn” entity;
`
`[0006] 2. verify that the identity being asserted by the
`entity is its true identity; and,
`
`[0007] 3. provide an audit trail, Which memorialiZes
`the reasons for trusting the identity of the entity.
`
`[0008] In the physical World, much of the perceived secu
`rity of systems relies on physical presence. Traditionally, in
`order to open a bank account, an applicant must physically
`appear at a bank branch, assert an identity, ?ll out forms,
`provide signatures on signature cards, etc. It is customary for
`the bank to request of the applicant that they provide one or
`more forms of identi?cation. This is the bank’s Way of
`verifying the applicant’s asserted identity. If the bank
`accepts, for instance, a driver’s license in accepting as a
`form of identi?cation, then the bank is actually relying on
`the processing integrity of the systems of the state agency
`that issued the driver’s license that the applicant is Who
`he/she has asserted themselves to be.
`
`[0009] The audit trail that the bank maintains includes all
`of the forms that may have been ?lled out (including
`signature cards), copies of important documents (such as the
`driver’s license), and perhaps a photo taken for identi?cation
`purposes. This process highlights the reliance that a trusted
`identi?cation and authentication process has on physical
`presence.
`[0010] In the electronic World, the scenario Would be
`much different. An applicant Would appear at the registration
`Web site for the bank, enter information asserting an identity
`and click a button to continue the process. With this type of
`registration, the only audit trail the bank Would have is that
`an entity from a certain IP address appeared at the Web site
`and entered certain information. The entity may actually
`
`have been an automated device. The IP address that initiated
`the transaction is most likely a dynamically-assigned
`address that Was issued from a pool of available addresses.
`In short, the bank really has no assurance of the true identity
`of the entity that registered for the account.
`
`[0011] To resolve this issue, many providers of electronic
`commerce sites have begun to rely on mechanisms that do
`not happen as part of the actual electronic transaction to help
`provide assurance that the transaction is authentic. These
`mechanisms are generally referred to as “out-of-band”
`mechanisms. The most frequently used out-of-band authen
`tication mechanism is sending the end user a piece of mail
`via the United States Postal Service or other similar delivery
`services. The piece of mail sent to the end user Will contain
`some piece of information that the site requires the end user
`to possess before proceeding With the registration.
`
`[0012] By sending something (e.g., a PIN number)
`through the mail, and then requiring the end user to utiliZe
`that piece of information to “continue” on the Web site, the
`provider of the site is relying on the deterrent effects of being
`forced to receive a piece of mail at a location, including but
`not limited to, the federal laWs that are intended to prevent
`mail fraud. The primary draWback of using the mail is that
`it is sloW. In addition, there is no audit trail. In this day and
`age of the Internet, Waiting “7-10 days” for a mail package
`to arrive is not ideal for the consumer or the e-commerce
`site.
`
`[0013] An authentication factor is anything that can be
`used to verify that someone is Who he or she purports to be.
`Authentication factors are generally grouped into three
`general categories: something you knoW, something you
`have, and something you are.
`
`[0014] A “something you knoW” is a piece of information
`Which alone, or taken in combination With other pieces of
`information, should be knoWn only by the entity in question
`or those Whom the entity in question should trust. Examples
`are a passWord, mother’s maiden name, account number,
`PIN, etc. This type of authentication factor is also referred
`to as a “shared secret”.
`
`[0015] A shared secret is only effective if it is maintained
`in a con?dential fashion. Unfortunately, shared secrets are
`often too easy to determine. First, the shared secret is too
`often derived from information that is relatively broadly
`available (Social Security Number, account number). Sec
`ond, it is dif?cult for a human being to maintain a secret that
`someone else really Wants. If someone really Wants infor
`mation from you, they may go to great lengths to get it,
`either by asking you or those around you, directly or
`indirectly, or by determining the information from others
`that may knoW it.
`
`[0016] A “something you have” is any physical token
`Which supports the premise of an entity’s identity. Examples
`are keys, sWipe cards, and smart cards. Physical tokens
`generally require some out-of-band mechanism to actually
`deliver the token. Usually, some type of physical presence is
`necessary (e.g., an employee appearing in the human
`resources office to pick up and sign for keys to the building.)
`
`[0017] Physical tokens provide the added bene?t of not
`being “socially engineer-able”, meaning that Without the
`physical token, any amount of information knoWn to a
`
`TWILIO, INC. EX. 1011
`Page 6
`
`

`
`US 2003/0221125 A1
`
`Nov. 27, 2003
`
`disreputable party is of no use Without the token. A trusted
`party must issue the token in a trusted manner.
`
`[0018] A“something you are” is some feature of a person
`that can be measured and used to uniquely identify an
`individual Within a population. Examples are ?ngerprints,
`retina patterns, and voiceprints. Biometric capabilities offer
`the greatest form of identity authentication available. They
`require some type of physical presence and they are able to
`depict unique characteristics of a person that are exceedingly
`dif?cult to spoof.
`[0019] Unfortunately, capturing a biometric requires spe
`ci?c hardWare at the users location, and some of the hard
`Ware to support biometrics is expensive and not yet broadly
`deployed. Some biometric technology in use today also
`relies on an electronic “image” of the biometric to compare
`against. If this electronic image is ever compromised, then
`the use of that biometric as identity becomes compromised.
`This becomes a serious problem based on the limited
`number of biometrics available today. More importantly,
`biometrics cannot be utiliZed to determine an individual’s
`identity in the ?rst instance.
`
`[0020] A security infrastructure is only as strong as its
`underlying trust model. For example, a security infrastruc
`ture premised upon security credentials can only address the
`problems of fraud and identity theft if the security creden
`tials are initially distributed to the correct persons.
`
`[0021] First-time registration and the initial issuance of
`security credentials, therefore, are the crux of any security
`infrastructure; Without a trusted tool for initially verifying
`identity, a security infrastructure completely fails. The
`National Fraud Center explicitly noted this problem at page
`9 of its report:
`
`[0022] “There are various levels of security used to protect
`the identities of the [security credential] oWners. HoWever,
`the knoWn security limitation is the process utiliZed to
`determine that the person obtaining the [security credential]
`is truly that person. The only knoWn means of making this
`determination is through the process of authentication.”
`
`[0023] In any security model, the distribution of security
`credentials faces the same problem: hoW to verify a person’s
`identity over the anonymous Internet. There are three knoWn
`methods for attempting to verify a site visitor’s identity. The
`three current methods are summariZed beloW:
`
`[0024] Solution A: An organiZation requires the physical
`presence of a user for authentication. While the user is
`present, a physical biometric could be collected for later use
`(?ngerprint, voice sample, etc.). The problem With the
`physical presence model is that it is extremely dif?cult and
`costly for a company to require that all of its employees,
`partners, and customers present themselves physically in
`order to receive an electronic security credential. This model
`gets more dif?cult and more expensive as it scales to a large
`number of users.
`
`[0025] Solution B: Acompany identi?es and authenticates
`an individual based on a shared secret that the tWo parties
`have previously agreed upon. The problem With the shared
`secret model is that it in itself creates a serious security
`problem: shared secrets can easily be compromised. Since
`the shared secret is relatively easy to obtain, this security
`model suffers from serious fraud rates. Use of an electronic
`
`copy of a speci?c biometric like a thumbprint could be used
`as a shared secret. But once it is compromised, one cannot
`reissue a neW thumbprint and there is a limited set of others
`to choose from.
`
`[0026] Solution C: Acompany relies on communication of
`a shared secret through the postal service. This process
`begins When the user registers at a Web site and enters
`uniquely identifying information. A personal identi?cation
`number (PIN) is then sent to the user at a postal mailing
`address (assuming the identifying information is correct).
`The user must receive the PIN in the mail, return to the Web
`site and re-register to enter the PIN. The postal service is
`used because it is a trusted netWork; there is some assurance
`of delivery to the expected party and there are legal impli
`cations for breach of the netWork. A large ?aW With this
`method is the built-in delay of days, even Weeks, before the
`user receives the PIN. This mode of authentication is too
`sloW by today’s business standards; the potential of the
`Internet to transform the structure of commerce rests ?rmly
`on the ability to process transactions rapidly. Too many
`people simply never ?nish the process. Moreover, there is a
`limited audit trail to refer to in the event of a dispute
`regarding the use of the security credential. A signature
`(another type of biometric) could be required, but that triples
`the delay until the PIN is returned. Organizations are seeing
`large number of potential customers not returning to close a
`transaction after these delays.
`
`[0027] Table I summariZes characteristics of the knoWn
`authentication processes.
`
`TABLE I
`
`Authentication Processes
`
`Shared
`Secrets
`
`/
`/
`
`/
`
`Physical
`Presence
`
`/
`/
`/
`
`/
`/
`
`Mail
`
`/
`/
`
`/
`
`Characteristics
`
`Automated
`Easily Scalable
`Auditable
`Can use biometrics
`Has legal protections
`Occurs in real time,
`therefore tends to retain
`customers
`Deters fraud
`Protects private data
`
`[0028] KnoWn solutions do not enable organiZations to
`distribute efficiently and securely electronic security creden
`tials. There continues to be a need for improved authenti
`cation or authoriZing methods. Preferably such improve
`ments could be realiZed Without creating substantial
`additional complexity for a visitor to a site. It Would also be
`preferable if such methods did not sloW doWn the pace of the
`interaction or transaction. One knoWn system has been
`disclosed in US. application No. 2002/0004831A1 pub
`lished Jan. 10, 2002 and entitled System and Method of
`Using The Public SWitched Telephone NetWork In Provid
`ing Authentication or AuthoriZation For Online Transac
`tions, assigned to the assignee hereof and incorporated
`herein by reference.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`[0029] FIG. 1 is a block diagram of a system in accor
`dance With the present invention;
`
`TWILIO, INC. EX. 1011
`Page 7
`
`

`
`US 2003/0221125 A1
`
`Nov. 27, 2003
`
`[0030] FIG. 2A illustrates a How of interactions between
`components of a “redirect model” system and method in
`accordance With the invention;
`
`[0031] FIG. 2B illustrates a How of interactions betWeen
`components of a “server to server model” system and
`method in accordance With the invention; and
`
`[0032] FIG. 3 illustrates a particular application of the
`“server-to-server model” system and method in accordance
`With the invention.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENTS
`
`[0033] While this invention is susceptible of embodiment
`in many different forms, there are shoWn in the draWing and
`Will be described herein in detail speci?c embodiments
`thereof With the understanding that the present disclosure is
`to be considered as an exempli?cation of the principles of
`the invention and is not intended to limit the invention to the
`speci?c embodiments illustrated.
`
`[0034] Embodiments of the present system and method
`exhibit characteristics Which include:
`
`[0035] 1. Use of tWo communications channels, dif
`ferent at least in part. The process is facilitated Where
`the user has access to a telephone (for example, a
`device identi?ed on one of the channels, such as a
`voice channel).This can provide a basic form of
`identity veri?cation;
`[0036] 2. Ability to input to the system over one of
`the channels a random, real-time generated con?r
`mation number delivered over the other channel is
`used as a veri?cation of the individual’s access to
`both channels. Speech recognition softWare can be
`used if the number is input via the voice channel;
`
`[0037] 3. Data collected about the person, the com
`munication channels and their identi?ers is com
`pared to stored or third-party data about the person or
`the communication channels. Similarities in this data
`can be used as another form of veri?cation;
`
`[0038] 4. The ability of the person to recite or some
`hoW enter into one or both of the communication
`channels a shared secret that should only be knoWn
`by the identity being veri?ed is another form of
`identity veri?cation. Speech recognition softWare
`can be used if the shared secret is input via the voice
`channel;
`[0039] 5. Speech recognition softWare can be used to
`ensure that a voice recording taken during the ses
`sion is of knoWn content (eg the con?rmation
`number) and of good quality. This voice recording
`can be used as part of the audit trail and for voice
`biometric comparison (see #6 beloW); and
`
`[0040] 6. A voice print can be collected for this
`individual, during a registration session using the
`above authentication techniques, or via some other
`means. This previously stored voice print can be
`used subsequently as another form of identity veri
`?cation by using voice biometric softWare to com
`pare the voice print to the voice recording mentioned
`above in #5.
`
`[0041] FIG. 1 illustrates a system 10 for carrying out an
`interactive, authentication/ authoriZation process. In one
`aspect, system 10 as discussed beloW can be implemented
`using multiple communication lines, one for voice and one
`for data. Alternately, a single line (the telephone line) can be
`shared betWeen voice communication use and data commu
`nication use.
`
`[0042] The system 10 includes a site visitor’s display 12
`and associated local computer 14.The site visitor V, via a
`bi-directional communication link 16 can access, forWard
`requests to and receive services from an Internet service
`provider 20. Alternatively, if a separate communication line
`16 is not available, the telephone line 17 can be shared
`betWeen voice communication using the telephone 46 and
`data communication using modems. The Internet service
`provider 20 Which Would be coupled via bi-directional
`communication links 22 communicates via an electronic
`netWork 26, Which could be the publicly available Internet
`or a private Intranet, With a target site 30 via a bi-directional
`communication link 32.
`
`[0043] In a typical transaction, the visitor V logs onto
`target site 30 and requests, authoriZation, authentication or
`other services alone or in combination from the site 30. In
`response to one or more requests from the visitor V, the site
`30, via a bi-directional communication link 34 and the
`netWork 26 communicates via another link 36 With an
`authentication/authoriZation server 38.
`[0044] Server 38 includes authoriZation/authentication
`softWare in the form of prestored executable instructions P.
`It also includes databases D Wherein information is stored in
`connection With prior transactions, or previously supplied
`information provided by target site 30.
`
`[0045] The authentication/authoriZation server 38 makes it
`possible to authenticate or authoriZe the site visitor V in
`accordance With the present invention. The server 38
`receives either from target site 30 or directly from visitor V
`a telephone number Where the visitor V can be called or
`reached essentially immediately via an automated call from
`server 38.
`
`[0046] To strengthen the trust in the telephone number
`being used for the automated phone call, executable instruc
`tions P-1 search for the phone number Within third-party
`databases in real-time. These databases can be local to site
`38, or can be remote and accessed via netWork 26. Infor
`mation associated With the subject phone number can be
`returned to site 38 for analysis. That data may also be
`returned to the requesting site 30 for further veri?cation that
`this phone number belongs to (and is therefore being
`ansWered by) the person Whose identity is being veri?ed, the
`Site visitor V. The data can be processed in various Ways:
`[0047]
`i. Returned to the Target Site
`[0048] Any data found associated With the phone number
`can be returned to the site 30 Within the transaction.
`
`[0049] ii. Name and Address Validation
`
`[0050] The site 30 can provide name and address data,
`collected from visitor V or from the site’s existing database
`of information, to server 38. This information Will be
`compared to name and address information server 38 ?nds
`associated With the phone number. The comparison (match
`or no match) can be returned to site 30 for each ?eld of the
`
`TWILIO, INC. EX. 1011
`Page 8
`
`

`
`US 2003/0221125 A1
`
`Nov. 27, 2003
`
`Exact character for character match
`
`data provided. Since the application can be customized to
`the Target Site’s requirements, any comparison algorithm
`can be applied. Some eXamples are:
`[0051]
`[0052]
`First letter match (for initial)
`[0053]
`Nick name match (e.g. Bob matches Robert)
`[0054] Partial match (e.g. Mary-Anne partially
`matches Mary)
`
`[0055] iii. Geographic Correlation
`[0056] A postal code provided by the site 30 can be
`compared to the telephone number. This can be done, for
`example, by calculating the distance from the geographic
`location of the centroid of the tWo dimensional area repre
`sented by the Zip code, to the geographic location of the
`central of?ce (PSTN sWitching station) serving as the last
`sWitching point for a call placed to the telephone number.
`Using this distance, the site 30 can make policy decisions
`based on hoW close the phone number must be to the address
`knoWn for the visitor V. For eXample, the visitor V could be
`using a home phone for a business transaction late at night.
`The site 30 could have a policy to mark the transaction
`suspect if the distance is more than What the site 30 deems
`reasonable for the maXimum commute from a person’s
`home to Work.
`
`[0057] In addition to accepting data input from the visitor
`V via the telephone keypad, system 10 can also accept
`spoken input using commercially available speech recogni
`tion softWare P-2.From a security prospective, softWare P-2
`strengthens the use of voice recordings for the audit trail.
`
`[0058] With speech recognition, the system 10 can ensure
`that the voice recordings are clear and recogniZable. For
`eXample, site 38 could require the visitor V to recite the
`phone number dialed, one digit at a time. Since the site 30
`knoWs the phone number, using speech recognition during
`the recording enables it to verify that the visitor V has clearly
`and correctly spoken the number, ensuring a high quality
`voice recording. Therefore these recordings can be more
`highly trusted for subsequent human revieW or automated
`voice biometric comparisons.
`[0059] System 10 can incorporate commercially available
`softWare P-3 to convert teXt data to speech at the time of the
`transaction. This enables the system, via site 38, to deliver
`electronic security credentials audibly via the telephone in
`addition to, or instead of visually via the Web pages. This
`could be useful for applications that are required to deliver
`security information (like a randomly generated temporary
`access passWord) via an out-of-band netWork other than the
`Internet. This is also useful When the audible instructions for
`the site visitor V cannot be determined before the phone call
`is made. For eXample, the system 10 could cause random
`veri?cation data to be spoken via annunciation softWare P-3
`to practically eliminate the ability for a person to attempt to
`pre-record ansWers using someone else’s voice.
`[0060] The voice recordings taken during the registration
`process can be used to determine the voice biometrics of the
`visitor V (at the time of acquisition or at a later date). The
`system 10 includes commercially available voice biometric
`softWare P-4 to analyZe a good quality voice recording and
`create a “voice print” (or voice biometric), similar to a
`
`?ngerprint or a Written signature. It is a digital representation
`of the unique characteristics of the users voice and vocal
`tract. Using this voice biometric, the system 10 can use
`commercially available softWare to compare one voice With
`another. This alloWs the system to determine (Within the
`accuracy of the voice biometric tools) if the voice of the
`visitor V is the same as that of the person Who had previ
`ously used the system.
`
`[0061] The ?rst time the visitor V uses the system 10, tWo
`factors of authentication are used:
`
`[0062] 1. the ability of that person to ansWer a phone
`call at their oWn phone number (“something you
`have”)
`[0063] 2. and knoWledge of a shared secret (“some
`thing you knoW”). Once the voice biometric has been
`captured, in each subsequent use of the system a
`third factor of biometric authentication (“something
`you are”) can be added to the previously described
`tWo factors. This signi?cantly increases the strength
`of the authentication or authoriZation decision made
`based on this information.
`
`[0064] The system employs tWo different (at least in part)
`communication links to reach the site visitor. The embodi
`ments described herein use the Internet as the data commu
`nication link and the PSTN as the voice communication link.
`Each of the communication links has their oWn method of
`identifying the speci?c device being used by the site visitor.
`The embodiments described herein use IP address as the
`addressing method for the data communication device (eg
`the site visitor’s computer), and use the public telephone
`number as the addressing method for the voice communi
`cation device (eg the site visitor’s telephone).
`[0065] Preferably, in a system implemented in accordance
`hereWith
`the communication links have a separate, inde
`pendently veri?able addressing method, (ii) at least one of
`the communication links supports voice communication
`betWeen the site visitor and the authentication/authoriZation
`site, and (iii) the security of both links is trusted by both the
`target and authentication/authoriZation sites. The links may
`even share some portion of a physical connections betWeen
`devices (as discussed With regard to single versus multiple
`communication lines located at the site visitor’s location).
`[0066] Various voting-type products can be created based
`on the above described system and functionality.
`[0067] A typical on-line voting application today is exer
`cising shareholder proXy voting rights. These voting appli
`cations typically require the use of a Personal Identi?cation
`Number (PIN) that is sent via the postal mail to the street
`address on record for the stockholder(s). After receiving the
`PIN, any one of the members of that household can go to a
`Website, Where the PIN is used as the sole identi?cation of
`the stock rights being voted.
`
`[0068] System 10 could be used to deliver the PIN ver
`bally via a phone call, instead of using the postal mail.
`Instead of mailing a printed letter, system 10 could call the
`stockholder(s) at a knoWn telephone number(s) and deliver
`the PIN via teXt-to-speech. This increases the security by
`providing an audit trail as to Whom the PIN Was actually
`delivered (the phone number used and the voice recording of
`the person Who accepted the delivery), as Well as being less
`
`TWILIO, INC. EX. 1011
`Page 9
`
`

`
`US 2003/0221125 A1
`
`Nov. 27, 2003
`
`costly than the more manual process of mailing printed
`materials. The PIN can then be used in a known fashion to
`carry out the voting process.
`
`[0069] HoWever, voting in a Federal or State election
`requires much more security than simply mailing a PIN to a
`postal address. The typical manual systems in use today use
`a tWo-step process. First, a person must register to vote. This
`is usually done by requiring a person’s physical presence at
`a State or Federal agency so that agency personnel may
`check records to verify that the individual is a resident, not
`previously registered, not listed as deceased, and other
`similar checks. At the time of registration, the authority
`captures the person’s signature. The second stage takes place
`at the polls.
`
`[0070] Each time a person exercises a right to vote, poll
`of?cials authenticate prospective voters by manual compari
`son of the signature on record With a signature eXecuted
`before them. They may also require the person to possess a
`voter registration card or some other type of trusted creden
`tial (eg a drivers license).
`[0071] System 10 could be used to fully automate the
`process. The process Would require the capture of a voice
`biometric during voter registration (instead of a signature).
`This registration could still require physical presence, or
`could be done remotely using system 10. The requirement
`Would be that at least tWo forms of authentication take place
`(eg shared secret and access to your home phone), and a
`good quality voice recording be captured. That trusted voice
`recording Would then be used to create a voice biometric
`speci?c for that voter (similar to their Written signature).
`
`[0072] Once a person has registered to vote, he or she
`Would simply go to a Web site to place their vote. At that Web
`site, they Would be asked for a phone number Where they can
`be reached at that moment (or the system could require them
`to be at a knoWn, trusted phone number that is on record for
`that voter).
`[0073] The system 10 Would use previously discussed
`softWare P-1 for telephone data lookup to obtain information
`about the oWner of that phone and it’s approximate location.
`At the same time, a phone call Would be placed to that
`number. When the voter ansWered the phone, he or she
`Would be requested to speak a shared secret (for eXample
`something similar to the manual check of a voter ID number,
`or a driver’s license number). While the voter is speaking the
`shared secret, the system Will be comparing the voice With
`the previously created voice biometric data. NoW the system
`has:
`
`[0074] The phone number called
`
`[0075] The phone number’s oWner and location
`information
`
`[0076] The spoken shared secret
`
`[0077] Voice recording(s) of the voter
`
`[0078] And a biometric comparison against the voice
`used during registration
`
`[0079] Using all this data, the system 10 can apply What
`ever rules the vote conducting authority Wishes to enforce
`relative to authentication of the voter. This process can be
`even more secure than the manual process, because:
`
`[0080] The system is fully automated so there is no
`chance of collusion
`
`[0081] The audit trail can be re-veri?ed later if there
`is a dispute
`
`[0082] It is also more effective than the manual process
`since it does not require the physical presence of the voter
`to cast his or her vote. This system can thus be used in
`absentee ballot situations.
`
`[0083] The Table II-A and the FIG. 2A illustrate the use
`of the System 10 in a Way that has the service site 38 directly
`interact With the visitor V. The visitor V is redirected from
`interacting directly With the target site 30, to interacting
`directly With the authentication & authoriZation service site
`38 prior to placing the phone call. When the phone call is
`complete the visitor is redirected back to the target site. This
`model is called the “redirect model”. The redirect model is
`typically used When the target site Wishes to off-load as
`much processing as possible.
`
`[0084] The Table II-B and the FIG. 2B illustrate the use of
`the System 10 in a Way that has the service site 38 interact
`only With the target site 30. The visitor V only interacts
`directly With the target site 30. The target site uses the
`authentication & authoriZation service site 38 as a service
`provider. This model is called the “server-to-server model”.
`The server-to-server model has no requirements of the type
`or method of interaction With the site visitor. The visitor
`could be interacting With the target site usi