AWS Contact Center

Machine learning-based voice authentication with Amazon Connect Voice ID

Today, Amazon Web Services (AWS) announces the general availability of Amazon Connect Voice ID, a Machine Learning (ML) powered voice authentication feature for Amazon Connect. Amazon Connect is an easy-to-use omnichannel cloud contact center that helps companies of any size deliver superior customer service at lower cost. Amazon Connect Voice ID offers both real-time caller authentication, to provide contact centers an additional security layer to help validate customer identity, and fraud risk detection, to help make contact center operations more secure.

To authenticate callers, contact centers often use a time-consuming process where callers answer multiple questions verifying their personal details, such as social security number or date of birth. This process is repetitive for agents and is a poor experience for callers. Additionally, this relies on knowledge possessed by caller that can be easily obtained through social engineering. Fraudsters can use this along with sophisticated speech synthesis systems to impersonate callers. Using Amazon Connect Voice ID, you can use machine learning to help verify the identity of genuine customers in real-time without changing the natural flow of their conversation. This saves customers from the hassle of having to answer multiple questions to verify their identity, thereby improving their experience as well as agent productivity. Using Amazon Connect Voice ID, you can also create a custom watchlist with audio recordings of known fraudsters to flag suspicious callers and lower the number of fraudulent attacks on your contact center.

You can enable Voice ID in Amazon Connect using the AWS Management Console. You can also configure the Interactive Voice Response (IVR) sequences for authentication and fraud risk detection using the Amazon Connect Contact Flows. Voice ID is also natively integrated into the Amazon Connect Contact Control Panel (CCP), making it simple for agents to help verify the caller’s identity. You can also use the Amazon Connect Streams APIs for Voice ID to add voice authentication and fraud risk detection into your existing web applications with Amazon Connect.

In this blog post, we will discuss how Amazon Connect Voice ID works and how you can start using it for enrollment and authentication.

How Amazon Connect Voice ID works: enrollment and authentication

When a customer calls for the first time, the contact center agent confirms the identity of the caller by using existing security measures to ensure that only genuine customers are enrolled in Amazon Connect Voice ID. To comply with relevant data protection laws, agents will need to obtain the caller’s consent prior to enrolling them. Once the agent initiates the enrollment request, Voice ID listens to the call until it has captured 30 seconds of customer speech (excluding silence) and then creates the enrollment voiceprint. A voiceprint is a mathematical representation that implicitly captures certain unique aspects of an individual’s voice such as speech rhythm, pitch, intonation, and loudness. The caller does not need to say or repeat any specific phrases to enroll in Amazon Connect Voice ID.

When the enrolled customer calls into the contact center again, you can use contact flows to authenticate them with Amazon Connect Voice ID during their interaction with the IVR or with an agent. Amazon Connect Voice ID will need 10 seconds of a caller’s voice to authenticate, which can be done as part of a typical customer interaction in the IVR or with the agent (such as “what’s your first and last name?” and “what are you calling about?”). Voice ID uses this audio to generate the caller’s voiceprint and compares it with the enrolled voiceprint corresponding to the claimed identity. Amazon Connect Voice ID then generates an authentication score between 0 and 100 that indicates the confidence of match. Contact center managers can configure an authentication score threshold in the Amazon Connect contact flow (default threshold is a score of 90) so that agents get a real-time result (“authenticated” or “not authenticated”) to complete the verification process or take additional security measures during the call. Amazon Connect Voice ID’s passive authentication approach does not require customers to say any specific words or phrases during enrollment and verification.

Contact center managers can configure the amount of caller audio required to authenticate to as little as 5 seconds. This enables Amazon Connect Voice ID to be used as an additional security layer in the IVR to authenticate customers and unlock self-service options. This empowers you to provide self-service options for a wider range of issues and lower overall operational costs.

If a caller chooses to not use voice authentication provided by Amazon Connect Voice ID, you can have the caller opt-out of Voice ID. The service will remove all audio and any voiceprints that were created for this caller. Agents will get a status stating “Opt-out” for the authentication status indicating that their identity cannot be validated by Amazon Connect Voice ID.

How Amazon Connect Voice ID works: fraud risk detection

Amazon Connect Voice ID enables you to scan calls in real time for fraudsters from a custom watchlist you have created for attackers who frequently target your contact center operations. Once you have identified callers who frequently target your contact center to perform fraud, you can register these caller voices to a custom watchlist for your Amazon Connect Instance using Voice ID APIs. You can register up to 500 fraudster voices to this watchlist to detect in real-time. The next time one of these fraudsters calls in, Amazon Connect Voice ID will check if the call audio is a match to one or more of these fraudsters and return a fraud risk score between 0 and 100 to indicate a risk level. Like the authentication feature, contact center managers can configure a fraud risk score threshold in the Amazon Connect contact flow (default threshold is a score of 20) to provide a risk level to agents (“high risk” or “low risk”). Agents can then use this result to decide to continue the call or take additional security measures.

Overview

To get started with Amazon Connect Voice ID, we have created a sample solution for a fictional company called Anybank. This company wants to offer voice authentication to their customers instead of asking multiple security questions to validate their customers’ identity.

Pre-requisites

This post assumes you have the following:

  1. An understanding of Amazon Connect
  2. An Amazon Connect Instance
  3. Access to AWS IAM to create policies and roles

Get Started

  1. Login to your AWS Management Console and navigate to your Amazon Connect Instance.
  2. Enable Voice ID for your Amazon Connect Instance by following the steps outlined in Enable Voice ID
  3. Next, login to your Amazon Connect Instance at https://<instance_name>.my.connect.aws/ (replace instance_name with the name of your Amazon Connect instance). On the left tab, select Users → Security Profiles
  4. Select a role of your choice or create a new role to enable Amazon Connect Voice ID access in the CCP. This will allow the role to perform Voice ID operations on the CCP softphone interface, as explained in the Security Profile permissions for Voice ID
  5. Now download the sample contact flow named Connect-VoiceID-Sample-Contact-Flow that will help you create a self-service experience to test Amazon Connect Voice ID features
  6. Set up your Amazon Connect contact flows by choosing to Routing → Contact flows in your instance
  7. Choose Create contact flow and choose Import Flow from the top right corner of the page
  8. On the Import Flow dialog, choose Select and upload the Connect-VoiceID-Sample-Contact-Flow that you downloaded earlier
  9. Configure the following contact blocks that are required for performing authentication with Voice ID:
    • Set Voice ID: This block enables audio streaming and configures thresholds for voice authentication and detection for fraudsters in a watchlist. You can adjust the authentication threshold from the default of 90 based on your security and business requirements.
    • Set contact attributes: Voice ID needs to know the identity of the caller to be enrolled or verified. To provide this information to Voice ID, you can pull the unique customer identifier of the caller from your CRM system based on their phone number or account id. You can then assign it as the Customer ID attribute of this block. The customer ID may be a customer number from your CRM, for example. The maximum customer ID length is 32 characters. In this sample, it is set to a static value, but you can change it to any customer identifier you typically use
    • Check Voice ID: Once you have enabled Voice ID, you can use this block to check the response for enrollment status, voice authentication, or fraud detection. Using this result, you can determine the next best logic for customer experience. For example, you can route a call directly to a customer service agent if the caller is not enrolled for authentication. In this example, the block is used to check the authentication results
  10. You can now Save and Publish the flow
  11. At this point, Amazon Connect Voice ID is now enabled for your Connect Instance. Claim a phone number for your instance if you haven’t already done so and assign it to the Connect-VoiceID-Sample-Contact-Flow

Performing customer enrollment using the Amazon Connect CCP

  1. First, launch the CCP with the URL https://<instance_name>.my.connect.aws/ccp-v2/ . (replace instance_name with the name of your Amazon Connect instance). New labels and buttons for Amazon Connect Voice ID will appear in the upper portion of the CCP softphone interface
  2. Call your Amazon Connect dial-in number assigned to the contact flow you just configured. Then follow the prompts in the IVR to speak about the issue you are calling about. After a couple of questions, you will be transferred to the agent
  3. Once the call is transferred to an agent, accept the call on the CCP softphone interface.
  4. Once connected, you can see the enrollment status for the caller in the upper portion of the CCP softphone interface next to the Voice ID label. Since the caller is not enrolled, the Voice ID status is returned as Not enrolled
  5. As an agent, you can request enrollment by clicking the Enroll button on the top right. Now speak to the customer in any conversation of choice. Amazon Connect Voice ID will listen to the call until it has captured 30 seconds of customer speech (excluding silence) and then creates the enrollment voiceprint
  6. If enrollment is successful, the Voice ID status will change to Enrolled. You can disconnect the call now               

Testing authentication

Now that you have been enrolled into Amazon Connect Voice ID, you can call again to check the authentication process:

  1. Call the phone number assigned to the contact flow. When connected, you will interact with an IVR about the reason you are calling for. Amazon Connect Voice ID will use the audio collected during this conversation to verify your identity, based on the authentication threshold configured in the Set Voice ID block in your contact flow
  2. Once the call is transferred to an agent, accept the call on the CCP softphone interface
  3. Once connected, the Voice ID status in the interface shows Authenticated after a successful authentication. If the score did not meet the threshold configured, which would happen if a different caller called in place of you, the status will display Not Authenticated. If there was insufficient audio, Inconclusive will be displayed
  4. You can re-authenticate the customer by clicking the Re-evaluate icon in the upper right corner

Performing re-enrollment and opt out

  1. You can also re-enroll the customer by clicking the Re-enroll action under the menu icon on the top right
  2. You can use the Opt-out option from same menu icon to opt out a customer from Voice ID
  3. Once you are done with testing, you can delete the Amazon Connect Voice ID domain. If you had created a new Amazon Connect Instance, you can delete the instance in the Amazon Connect service console.

Conclusion

In this post, we introduced the key features of Amazon Connect Voice ID in its general availability (GA). We walked through how to enroll and verify a customer with voice authentication, perform re-enrollment, and opt-out if the customer chooses to not enroll into this service. You can start using with Voice ID for your Amazon Connect contact center instance today in US East (N. Virginia), US West (Oregon), Asia Pacific (Tokyo), Europe (Frankfurt), Asia Pacific (Singapore), Asia Pacific (Sydney), and Europe (London) AWS regions. As a part of the AWS Free Tier, you can get started with Amazon Connect free for twelve months. Amazon Connect Voice ID offers a free tier at 180 transactions per month. You can find further details for setting up and using of real-time caller authentication and fraud risk detection with Amazon Connect Voice ID using the Amazon Connect Administrator Guide.

Suggested tags: Amazon Connect, Amazon Connect Voice ID, Amazon Machine Learning, Contact Center, Artificial Intelligence