`
`1111111111111111111111111111111111111111111111111111111111111111111111111111
`US 20030221125Al
`
`(19) United States
`(12) Patent Application Publication
`Rolfe
`
`(10) Pub. No.: US 2003/0221125 A1
`Nov. 27, 2003
`(43) Pub. Date:
`
`(54) USE OF PUBLIC SWITCHED TELEPHONE
`NETWORK FOR AUTHENTICATION AND
`AUTHORIZATION IN ON-LINE
`TRANSACTIONS
`
`(76)
`
`Inventor: Andrew R. Rolfe, Itasca, IL (US)
`
`Correspondence Address:
`WELSH & KATZ, LTD
`120 S RIVERSIDE PLAZA
`22ND FLOOR
`CHICAGO, IL 60606 (US)
`
`(21)
`
`Appl. No.:
`
`10/155,821
`
`(22)
`
`Filed:
`
`May 24,2002
`
`Publication Classification
`
`(51)
`Int. Cl? ....................................................... H04L 9/00
`(52) U.S. Cl. .............................................................. 713/201
`
`(57)
`
`ABSTRACT
`
`A system for authentication and/or authorization which
`incorporates two communication channels, and at least one
`of third-party data sources, geographic correlation algo(cid:173)
`rithms, speech recognition algorithms, voice biometric com(cid:173)
`parison algorithms, and mechanisms to convert textual data
`into speech. A site visitor's identity can be verified using one
`or all of such features in combination with a visitors address
`on one of the channels.
`
`10
`
`26
`
`Public Switched Telephone Network
`44
`
`38
`
`D
`
`TWILIO INC. Ex. 1006 Page 1
`
`
`
`Patent Application Publication Nov. 27, 2003 Sheet 1 of 4
`
`US 2003/0221125 Al
`
`.--
`~
`::J
`0>
`u::
`
`.::.::
`.....
`0
`$
`+-'
`(]) z
`(])
`c
`0 ..c
`c..
`(]) w ::<t
`
`::<t
`
`f-
`"C
`(])
`L:
`(.)
`
`C/)
`
`+-' "3
`,g
`..c
`::J
`0...
`
`I
`I
`
`I....
`Q) Q)
`.2 "0
`> ·(cid:173)
`..... >
`Q) 0
`oon_
`'------- d
`C>.i
`
`»!
`rni
`Nl a..l
`.-- .!!lj
`0,
`L
`T-;:::i
`, 0
`I
`! ·oo I
`! +-' '
`'>
`>
`,Q)
`I oo .
`."'!::::::::
`i
`
`TWILIO INC. Ex. 1006 Page 2
`
`
`
`Patent Application Publication Nov. 27, 2003 Sheet 2 of 4
`
`US 2003/0221125 Al
`
`Site Visitor
`Computer
`14
`
`Target
`Site
`30
`
`Redirect Model
`Figure 2A
`
`c
`
`T
`
`Authentication
`and/or
`Authorization
`Service
`Site
`38
`
`TWILIO INC. Ex. 1006 Page 3
`
`
`
`Patent Application Publication Nov. 27, 2003 Sheet 3 of 4
`
`US 2003/0221125 Al
`
`Site Visitor
`Computer
`14
`
`Site Visitor
`Phone
`
`A
`
`Target
`Site
`30
`
`T
`
`Authentication
`and/or
`Authorization
`Service
`Site
`38
`
`E
`
`Server - to - Server Model
`Figure 28
`
`TWILIO INC. Ex. 1006 Page 4
`
`
`
`Patent Application Publication Nov. 27, 2003 Sheet 4 of 4
`
`US 2003/0221125 Al
`
`E
`Q)
`-1-J
`CJ)
`
`~
`
`00
`
`I
`'
`
`.....
`Q)
`5:
`I
`C. I
`..
`~ E I
`
`~ '
`
`'
`
`(I)
`~
`::::l
`0)
`u:::
`
`""'"
`""'"
`
`.....
`~
`0
`~
`Q)
`z
`Q) c
`0
`..c
`0..
`Q)
`Q)
`I-
`"0
`Q)
`..c
`
`(.) -":§
`
`C/)
`g
`:0
`::::l
`0..
`
`TWILIO INC. Ex. 1006 Page 5
`
`
`
`US 2003/0221125 A1
`
`Nov. 27, 2003
`
`1
`
`USE OF PUBLIC SWITCHED TELEPHONE
`NETWORK FOR AUTHENTICATION AND
`AUTHORIZATION IN ON-LINE TRANSACTIONS
`
`FIELD OF THE INVENTION
`
`to automated on-line
`invention pertains
`[0001] The
`authentication and authorization systems. More particularly,
`the invention pertains to such systems, which incorporate
`speech processing.
`
`BACKGROUND OF THE INVENTION
`
`[0002] The Internet offers the prospect of expanded,
`world-wide commerce, e-commerce, with potentially lower
`cost to purchasers than heretofore possible. However, the
`lack of direct person-to-person contact has created its own
`set of problems. Identity theft is a problem threatening the
`growth of e-commerce.
`
`[0003] E-commerce growth will only occur if there is a
`trusted and reliable security infrastructure in place. It is
`imperative that the identity of site visitors be verified before
`granting them access to any online application that requires
`trust and security. According to the National Fraud Center,
`its study of identity theft "led it to the inescapable conclu(cid:173)
`sian that the only realistic broad-based solution to identity
`theft is through authentication." Identity Theft: Authentica(cid:173)
`tion As A Solution, page 10, nationalfraud.com.
`
`[0004]
`
`In order to "authenticate" an entity, one must:
`
`[0005] 1. identify the entity as a "known" entity;
`
`[0006] 2. verify that the identity being asserted by the
`entity is its true identity; and,
`
`[0007] 3. provide an audit trail, which memorializes
`the reasons for trusting the identity of the entity.
`
`In the physical world, much of the perceived secu(cid:173)
`[0008]
`rity of systems relies on physical presence. Traditionally, in
`order to open a bank account, an applicant must physically
`appear at a bank branch, assert an identity, fill out forms,
`provide signatures on signature cards, etc. It is customary for
`the bank to request of the applicant that they provide one or
`more forms of identification. This is the bank's way of
`verifying the applicant's asserted identity. If the bank
`accepts, for instance, a driver's license in accepting as a
`form of identification, then the bank is actually relying on
`the processing integrity of the systems of the state agency
`that issued the driver's license that the applicant is who
`he/she has asserted themselves to be.
`
`[0009] The audit trail that the bank maintains includes all
`of the forms that may have been filled out (including
`signature cards), copies of important documents (such as the
`driver's license), and perhaps a photo taken for identification
`purposes. This process highlights the reliance that a trusted
`identification and authentication process has on physical
`presence.
`
`In the electronic world, the scenario would be
`[0010]
`much different. An applicant would appear at the registration
`web site for the bank, enter information asserting an identity
`and click a button to continue the process. With this type of
`registration, the only audit trail the bank would have is that
`an entity from a certain IP address appeared at the web site
`and entered certain information. The entity may actually
`
`have been an automated device. The IP address that initiated
`the
`transaction is most likely a dynamically-assigned
`address that was issued from a pool of available addresses.
`In short, the bank really has no assurance of the true identity
`of the entity that registered for the account.
`
`[0011] To resolve this issue, many providers of electronic
`commerce sites have begun to rely on mechanisms that do
`not happen as part of the actual electronic transaction to help
`provide assurance that the transaction is authentic. These
`mechanisms are generally referred to as "out-of-band"
`mechanisms. The most frequently used out-of-band authen(cid:173)
`tication mechanism is sending the end user a piece of mail
`via the United States Postal Service or other similar delivery
`services. The piece of mail sent to the end user will contain
`some piece of information that the site requires the end user
`to possess before proceeding with the registration.
`
`[0012] By sending something (e.g., a PIN number)
`through the mail, and then requiring the end user to utilize
`that piece of information to "continue" on the web site, the
`provider of the site is relying on the deterrent effects of being
`forced to receive a piece of mail at a location, including but
`not limited to, the federal laws that are intended to prevent
`mail fraud. The primary drawback of using the mail is that
`it is slow. In addition, there is no audit trail. In this day and
`age of the Internet, waiting "7-10 days" for a mail package
`to arrive is not ideal for the consumer or the e-commerce
`site.
`
`[0013] An authentication factor is anything that can be
`used to verify that someone is who he or she purports to be.
`Authentication factors are generally grouped into three
`general categories: something you know, something you
`have, and something you are.
`
`[0014] A "something you know" is a piece of information
`which alone, or taken in combination with other pieces of
`information, should be known only by the entity in question
`or those whom the entity in question should trust. Examples
`are a password, mother's maiden name, account number,
`PIN, etc. This type of authentication factor is also referred
`to as a "shared secret".
`
`[0015] A shared secret is only effective if it is maintained
`in a confidential fashion. Unfortunately, shared secrets are
`often too easy to determine. First, the shared secret is too
`often derived from information that is relatively broadly
`available (Social Security Number, account number). Sec(cid:173)
`ond, it is difficult for a human being to maintain a secret that
`someone else really wants. If someone really wants infor(cid:173)
`mation from you, they may go to great lengths to get it,
`either by asking you or those around you, directly or
`indirectly, or by determining the information from others
`that may know it.
`
`[0016] A "something you have" is any physical token
`which supports the premise of an entity's identity. Examples
`are keys, swipe cards, and smart cards. Physical tokens
`generally require some out-of-band mechanism to actually
`deliver the token. Usually, some type of physical presence is
`necessary (e.g., an employee appearing in the human
`resources office to pick up and sign for keys to the building.)
`
`[0017] Physical tokens provide the added benefit of not
`being "socially engineer-able", meaning that without the
`physical token, any amount of information known to a
`
`TWILIO INC. Ex. 1006 Page 6
`
`
`
`US 2003/0221125 A1
`
`Nov. 27, 2003
`
`2
`
`disreputable party is of no use without the token. A trusted
`party must issue the token in a trusted manner.
`
`[0018] A "something you are" is some feature of a person
`that can be measured and used to uniquely identify an
`individual within a population. Examples are fingerprints,
`retina patterns, and voiceprints. Biometric capabilities offer
`the greatest form of identity authentication available. They
`require some type of physical presence and they are able to
`depict unique characteristics of a person that are exceedingly
`difficult to spoof.
`
`[0019] Unfortunately, capturing a biometric requires spe(cid:173)
`cific hardware at the users location, and some of the hard(cid:173)
`ware to support biometrics is expensive and not yet broadly
`deployed. Some biometric technology in use today also
`relies on an electronic "image" of the biometric to compare
`against. If this electronic image is ever compromised, then
`the use of that biometric as identity becomes compromised.
`This becomes a serious problem based on the limited
`number of biometrics available today. More importantly,
`biometrics cannot be utilized to determine an individual's
`identity in the first instance.
`
`[0020] A security infrastructure is only as strong as its
`underlying trust model. For example, a security infrastruc(cid:173)
`ture premised upon security credentials can only address the
`problems of fraud and identity theft if the security creden(cid:173)
`tials are initially distributed to the correct persons.
`
`[0021] First-time registration and the initial issuance of
`security credentials, therefore, are the crux of any security
`infrastructure; without a trusted tool for initially verifying
`identity, a security infrastructure completely fails. The
`National Fraud Center explicitly noted this problem at page
`9 of its report:
`
`[0022]
`"There are various levels of security used to protect
`the identities of the [security credential] owners. However,
`the known security limitation is the process utilized to
`determine that the person obtaining the [security credential]
`is truly that person. The only known means of making this
`determination is through the process of authentication."
`
`[0023]
`In any security model, the distribution of security
`credentials faces the same problem: how to verify a person's
`identity over the anonymous Internet. There are three known
`methods for attempting to verify a site visitor's identity. The
`three current methods are summarized below:
`
`[0024] Solution A: An organization requires the physical
`presence of a user for authentication. While the user is
`present, a physical biometric could be collected for later use
`(fingerprint, voice sample, etc.). The problem with the
`physical presence model is that it is extremely difficult and
`costly for a company to require that all of its employees,
`partners, and customers present themselves physically in
`order to receive an electronic security credential. This model
`gets more difficult and more expensive as it scales to a large
`number of users.
`
`[0025] Solution B: A company identifies and authenticates
`an individual based on a shared secret that the two parties
`have previously agreed upon. The problem with the shared
`secret model is that it in itself creates a serious security
`problem: shared secrets can easily be compromised. Since
`the shared secret is relatively easy to obtain, this security
`model suffers from serious fraud rates. Use of an electronic
`
`copy of a specific biometric like a thumbprint could be used
`as a shared secret. But once it is compromised, one cannot
`reissue a new thumbprint and there is a limited set of others
`to choose from.
`
`[0026] Solution C: A company relies on communication of
`a shared secret through the postal service. This process
`begins when the user registers at a web site and enters
`uniquely identifying information. A personal identification
`number (PIN) is then sent to the user at a postal mailing
`address (assuming the identifying information is correct).
`The user must receive the PIN in the mail, return to the web
`site and re-register to enter the PIN. The postal service is
`used because it is a trusted network; there is some assurance
`of delivery to the expected party and there are legal impli(cid:173)
`cations for breach of the network. A large flaw with this
`method is the built-in delay of days, even weeks, before the
`user receives the PIN. This mode of authentication is too
`slow by today's business standards; the potential of the
`Internet to transform the structure of commerce rests firmly
`on the ability to process transactions rapidly. Too many
`people simply never finish the process. Moreover, there is a
`limited audit trail to refer to in the event of a dispute
`regarding the use of the security credential. A signature
`(another type of biometric) could be required, but that triples
`the delay until the PIN is returned. Organizations are seeing
`large number of potential customers not returning to close a
`transaction after these delays.
`
`[0027] Table I summarizes characteristics of the known
`authentication processes.
`
`TABLE I
`
`Authentication Processes
`
`Physical
`Presence
`
`
`Shared
`Secrets
`
`,/
`,/
`
`,/
`
`,/
`,/
`
`,/
`
`,/
`
`,/
`,/
`,/
`
`,/
`,/
`
`Characteristics
`
`Automated
`Easily Scalable
`Auditable
`Can use biometrics
`Has legal protections
`Occurs in real time,
`therefore tends to retain
`customers
`Deters fraud
`Protects private data
`
`[0028] Known solutions do not enable organizations to
`distribute efficiently and securely electronic security creden(cid:173)
`tials. There continues to be a need for improved authenti(cid:173)
`cation or authorizing methods. Preferably such improve(cid:173)
`ments could be realized without creating substantial
`additional complexity for a visitor to a site. It would also be
`preferable if such methods did not slow down the pace of the
`interaction or transaction. One known system has been
`disclosed in U.S. application No. 2002/0004831Al pub(cid:173)
`lished Jan. 10, 2002 and entitled System and Method of
`Using The Public Switched Telephone Network In Provid(cid:173)
`ing Authentication or Authorization For Online Transac(cid:173)
`tions, assigned to the assignee hereof and incorporated
`herein by reference.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`[0029] FIG. 1 is a block diagram of a system in accor(cid:173)
`dance with the present invention;
`
`TWILIO INC. Ex. 1006 Page 7
`
`
`
`US 2003/0221125 A1
`
`Nov. 27, 2003
`
`3
`
`[0030] FIG. 2A illustrates a flow of interactions between
`components of a "redirect model" system and method in
`accordance with the invention;
`
`[0031] FIG. 2B illustrates a flow of interactions between
`components of a "server to server model" system and
`method in accordance with the invention; and
`
`[0032] FIG. 3 illustrates a particular application of the
`"server-to-server model" system and method in accordance
`with the invention.
`
`DETAILED DESCRIPTION OF 1HE
`PREFERRED EMBODIMENTS
`
`[0033] While this invention is susceptible of embodiment
`in many different forms, there are shown in the drawing and
`will be described herein in detail specific embodiments
`thereof with the understanding that the present disclosure is
`to be considered as an exemplification of the principles of
`the invention and is not intended to limit the invention to the
`specific embodiments illustrated.
`
`[0034] Embodiments of the present system and method
`exhibit characteristics which include:
`
`[0035] 1. Use of two communications channels, dif(cid:173)
`ferent at least in part. The process is facilitated where
`the user has access to a telephone (for example, a
`device identified on one of the channels, such as a
`voice channel).This can provide a basic form of
`identity verification;
`
`[0036] 2. Ability to input to the system over one of
`the channels a random, real-time generated confir(cid:173)
`mation number delivered over the other channel is
`used as a verification of the individual's access to
`both channels. Speech recognition software can be
`used if the number is input via the voice channel;
`
`[0037] 3. Data collected about the person, the com(cid:173)
`munication channels and their identifiers is com(cid:173)
`pared to stored or third-party data about the person or
`the communication channels. Similarities in this data
`can be used as another form of verification;
`
`[0038] 4. The ability of the person to recite or some(cid:173)
`how enter into one or both of the communication
`channels a shared secret that should only be known
`by the identity being verified is another form of
`identity verification. Speech recognition software
`can be used if the shared secret is input via the voice
`channel;
`
`[0039] 5. Speech recognition software can be used to
`ensure that a voice recording taken during the ses(cid:173)
`sion is of known content (e.g. the confirmation
`number) and of good quality. This voice recording
`can be used as part of the audit trail and for voice
`biometric comparison (see #6 below); and
`
`[0040] 6. A voice print can be collected for this
`individual, during a registration session using the
`above authentication techniques, or via some other
`means. This previously stored voice print can be
`used subsequently as another form of identity veri(cid:173)
`fication by using voice biometric software to com(cid:173)
`pare the voice print to the voice recording mentioned
`above in #5.
`
`[0041] FIG. 1 illustrates a system 10 for carrying out an
`interactive, authentication/ authorization process. In one
`aspect, system 10 as discussed below can be implemented
`using multiple communication lines, one for voice and one
`for data. Alternately, a single line (the telephone line) can be
`shared between voice communication use and data commu(cid:173)
`nication use.
`
`[0042] The system 10 includes a site visitor's display 12
`and associated local computer 14.The site visitor V, via a
`bi-directional communication link 16 can access, forward
`requests to and receive services from an Internet service
`provider 20. Alternatively, if a separate communication line
`16 is not available, the telephone line 17 can be shared
`between voice communication using the telephone 46 and
`data communication using modems. The Internet service
`provider 20 which would be coupled via bi-directional
`communication links 22 communicates via an electronic
`network 26, which could be the publicly available Internet
`or a private Intranet, with a target site 30 via a bi-directional
`communication link 32.
`
`In a typical transaction, the visitor V logs onto
`[0043]
`target site 30 and requests, authorization, authentication or
`other services alone or in combination from the site 30. In
`response to one or more requests from the visitor V, the site
`30, via a bi-directional communication link 34 and the
`network 26 communicates via another link 36 with an
`authentication/authorization server 38.
`
`[0044] Server 38 includes authorization/authentication
`software in the form of prestored executable instructions P.
`It also includes databases D wherein information is stored in
`connection with prior transactions, or previously supplied
`information provided by target site 30.
`
`[0045] The authentication/authorization server 38 makes it
`possible to authenticate or authorize the site visitor V in
`accordance with the present invention. The server 38
`receives either from target site 30 or directly from visitor V
`a telephone number where the visitor V can be called or
`reached essentially immediately via an automated call from
`server 38.
`
`[0046] To strengthen the trust in the telephone number
`being used for the automated phone call, executable instruc(cid:173)
`tions P-1 search for the phone number within third-party
`databases in real-time. These databases can be local to site
`38, or can be remote and accessed via network 26. Infor(cid:173)
`mation associated with the subject phone number can be
`returned to site 38 for analysis. That data may also be
`returned to the requesting site 30 for further verification that
`this phone number belongs to (and is therefore being
`answered by) the person whose identity is being verified, the
`Site visitor V. The data can be processed in various ways:
`
`[0047]
`
`i. Returned to the Target Site
`
`[0048] Any data found associated with the phone number
`can be returned to the site 30 within the transaction.
`
`[0049]
`
`ii. Name and Address Validation
`
`[0050] The site 30 can provide name and address data,
`collected from visitor V or from the site's existing database
`of information, to server 38. This information will be
`compared to name and address information server 38 finds
`associated with the phone number. The comparison (match
`or no match) can be returned to site 30 for each field of the
`
`TWILIO INC. Ex. 1006 Page 8
`
`
`
`US 2003/0221125 A1
`
`Nov. 27, 2003
`
`4
`
`data provided. Since the application can be customized to
`the Target Site's requirements, any comparison algorithm
`can be applied. Some examples are:
`
`[0051] Exact character for character match
`
`[0052] First letter match (for initial)
`
`[0053] Nick name match (e.g. Bob matches Robert)
`
`[0054] Partial match
`matches Mary)
`
`(e.g. Mary-Anne partially
`
`[0055]
`iii. Geographic Correlation
`[0056] A postal code provided by the site 30 can be
`compared to the telephone number. This can be done, for
`example, by calculating the distance from the geographic
`location of the centroid of the two dimensional area repre(cid:173)
`sented by the zip code, to the geographic location of the
`central office (PSTN switching station) serving as the last
`switching point for a call placed to the telephone number.
`Using this distance, the site 30 can make policy decisions
`based on how close the phone number must be to the address
`known for the visitor V. For example, the visitor V could be
`using a home phone for a business transaction late at night.
`The site 30 could have a policy to mark the transaction
`suspect if the distance is more than what the site 30 deems
`reasonable for the maximum commute from a person's
`home to work.
`[0057]
`In addition to accepting data input from the visitor
`V via the telephone keypad, system 10 can also accept
`spoken input using commercially available speech recogni(cid:173)
`tion software P-2.From a security prospective, software P-2
`strengthens the use of voice recordings for the audit trail.
`[0058] With speech recognition, the system 10 can ensure
`that the voice recordings are clear and recognizable. For
`example, site 38 could require the visitor V to recite the
`phone number dialed, one digit at a time. Since the site 30
`knows the phone number, using speech recognition during
`the recording enables it to verify that the visitor V has clearly
`and correctly spoken the number, ensuring a high quality
`voice recording. Therefore these recordings can be more
`highly trusted for subsequent human review or automated
`voice biometric comparisons.
`[0059] System 10 can incorporate commercially available
`software P-3 to convert text data to speech at the time of the
`transaction. This enables the system, via site 38, to deliver
`electronic security credentials audibly via the telephone in
`addition to, or instead of visually via the web pages. This
`could be useful for applications that are required to deliver
`security information (like a randomly generated temporary
`access password) via an out-of-band network other than the
`Internet. This is also useful when the audible instructions for
`the site visitor V cannot be determined before the phone call
`is made. For example, the system 10 could cause random
`verification data to be spoken via annunciation software P-3
`to practically eliminate the ability for a person to attempt to
`pre-record answers using someone else's voice.
`[0060] The voice recordings taken during the registration
`process can be used to determine the voice biometrics of the
`visitor V (at the time of acquisition or at a later date). The
`system 10 includes commercially available voice biometric
`software P-4 to analyze a good quality voice recording and
`create a "voice print" (or voice biometric), similar to a
`
`fingerprint or a written signature. It is a digital representation
`of the unique characteristics of the users voice and vocal
`tract. Using this voice biometric, the system 10 can use
`commercially available software to compare one voice with
`another. This allows the system to determine (within the
`accuracy of the voice biometric tools) if the voice of the
`visitor V is the same as that of the person who had previ(cid:173)
`ously used the system.
`[0061] The first time the visitor V uses the system 10, two
`factors of authentication are used:
`
`[0062] 1. the ability of that person to answer a phone
`call at their own phone number ("something you
`have")
`
`[0063] 2. and knowledge of a shared secret ("some(cid:173)
`thing you know"). Once the voice biometric has been
`captured, in each subsequent use of the system a
`third factor of biometric authentication ("something
`you are") can be added to the previously described
`two factors. This significantly increases the strength
`of the authentication or authorization decision made
`based on this information.
`
`[0064] The system employs two different (at least in part)
`communication links to reach the site visitor. The embodi(cid:173)
`ments described herein use the Internet as the data commu(cid:173)
`nication link and the PSTN as the voice communication link.
`Each of the communication links has their own method of
`identifying the specific device being used by the site visitor.
`The embodiments described herein use IP address as the
`addressing method for the data communication device (e.g.
`the site visitor's computer), and use the public telephone
`number as the addressing method for the voice communi(cid:173)
`cation device (e.g. the site visitor's telephone).
`[0065] Preferably, in a system implemented in accordance
`herewith (i) the communication links have a separate, inde(cid:173)
`pendently verifiable addressing method, (ii) at least one of
`the communication links supports voice communication
`between the site visitor and the authentication/authorization
`site, and (iii) the security of both links is trusted by both the
`target and authentication/authorization sites. The links may
`even share some portion of a physical connections between
`devices (as discussed with regard to single versus multiple
`communication lines located at the site visitor's location).
`[0066] Various voting-type products can be created based
`on the above described system and functionality.
`[0067] A typical on-line voting application today is exer(cid:173)
`cising shareholder proxy voting rights. These voting appli(cid:173)
`cations typically require the use of a Personal Identification
`Number (PIN) that is sent via the postal mail to the street
`address on record for the stockholder(s). After receiving the
`PIN, any one of the members of that household can go to a
`website, where the PIN is used as the sole identification of
`the stock rights being voted.
`[0068] System 10 could be used to deliver the PIN ver(cid:173)
`bally via a phone call, instead of using the postal mail.
`Instead of mailing a printed letter, system 10 could call the
`stockholder(s) at a known telephone number(s) and deliver
`the PIN via text-to-speech. This increases the security by
`providing an audit trail as to whom the PIN was actually
`delivered (the phone number used and the voice recording of
`the person who accepted the delivery), as well as being less
`
`TWILIO INC. Ex. 1006 Page 9
`
`
`
`US 2003/0221125 A1
`
`Nov. 27, 2003
`
`5
`
`costly than the more manual process of mailing printed
`materials. The PIN can then be used in a known fashion to
`carry out the voting process.
`
`[0069] However, voting in a Federal or State election
`requires much more security than simply mailing a PIN to a
`postal address. The typical manual systems in use today use
`a two-step process. First, a person must register to vote. This
`is usually done by requiring a person's physical presence at
`a State or Federal agency so that agency personnel may
`check records to verify that the individual is a resident, not
`previously registered, not listed as deceased, and other
`similar checks. At the time of registration, the authority
`captures the person's signature. The second stage takes place
`at the polls.
`
`[0070] Each time a person exercises a right to vote, poll
`officials authenticate prospective voters by manual compari(cid:173)
`son of the signature on record with a signature executed
`before them. They may also require the person to possess a
`voter registration card or some other type of trusted creden(cid:173)
`tial (e.g. a drivers license).
`
`[0071] System 10 could be used to fully automate the
`process. The process would require the capture of a voice
`biometric during voter registration (instead of a signature).
`This registration could still require physical presence, or
`could be done remotely using system 10. The requirement
`would be that at least two forms of authentication take place
`(e.g. shared secret and access to your home phone), and a
`good quality voice recording be captured. That trusted voice
`recording would then be used to create a voice biometric
`specific for that voter (similar to their written signature).
`
`[0072] Once a person has registered to vote, he or she
`would simply go to a web site to place their vote. At that web
`site, they would be asked for a phone number where they can
`be reached at that moment (or the system could require them
`to be at a known, trusted phone number that is on record for
`that voter).
`
`[0073] The system 10 would use previously discussed
`software P-1 for telephone data lookup to obtain information
`about the owner of that phone and it's approximate location.
`At the same time, a phone call would be placed to that
`number. When the voter answered the phone, he or she
`would be requested to speak a shared secret (for example
`something similar to the manual check of a voter ID number,
`or a driver's license number). While the voter is speaking the
`shared secret, the system will be comparing the voice with
`the previously created voice biometric data. Now the system
`has:
`
`[0074] The phone number called
`
`[0075] The phone number's owner and location
`information
`
`[0076] The spoken shared secret
`
`[0077] Voice recording(s) of the voter
`
`[0078] And a biometric comparison against the voice
`used during registration
`
`[0079] Using all this data, the system 10 can apply what(cid:173)
`ever rules the vote conducting authority wishes to enforce
`relative to authentication of the voter. This process can be
`even more secure than the manual process, because:
`
`[0080] The system is fully automated so there is no
`chance of collusion
`
`[0081] The audit trail can be re-verified later if there
`is a dispute
`
`It is also more effective than the manual process
`[0082]
`since it does not require the physical presence of the voter
`to cast his or her vote. This system can thus be used in
`absentee ballot situations.
`
`[0083] The Table II-A and the FIG. 2A illustrate the use
`of the System 10 in a way that has the service site 38 directly
`interact with the visitor V. The visitor V is redirected from
`inter