Password-free security uses voice, user behavior to verify identity
- 26 January, 2017 13:28
Tired of conventional passwords? So is Nuance Communications, a tech firm that is promoting the human voice as a way to secure user accounts.
The company’s voice biometric product is among the technologies that promise to replace traditional -- and often vulnerable -- password authentication systems, which can be easy to hack. That isn’t the case with Nuance’s solution, the company claims.
“To determine if it’s you or not, we are looking at over 100 different characteristics of your voice,” said Brett Beranek, Nuance’s director of product strategy.
The problem with passwords
The need to move beyond passwords hasn’t been more urgent, given that hackers are routinely finding ways to steal them. Last year, Yahoo, LinkedIn and Dropbox all reported major data breaches involving account details such as email addresses and hashed passwords.
With such information, a hacker can plunder through an email account like suspected Russian cyberspies did to U.S. political figures in last year’s election.
However, security provider Nuance is trying to change the status quo. Already, banks and financial institutions have been deploying the company’s voice biometric technology to verify user identities.
“This is more secure than a password,” Beranek said. “We’ve had our customers report a significant reduction in fraud over PIN and password security solutions.”
The technology was first deployed in a customer call center back in 2001. Since then, it’s also been used in finance-related mobile apps and to secure PCs at a handful of organizations, Beranek said.
Every human voice is unique, he added. Factors like a person’s larynx, the shape of the nasal cavity, and whether the subject is missing a tooth, will all determine the way someone sounds. People can also speak in a more monotone or lively manner, or space out their words in varying rhythms.
Nuance’s technology has been built to analyze these differences to accurately determine who is who, Beranek said. It’s been refined to the point, it can weed out voice impersonators, digital recordings and synthetic voices that try to dupe its system.
“In most cases, we can differentiate consistently between identical twins,” Beranek also said.
Verifying a user’s behavior
Replacing passwords is one thing, but what if your security system could also detect and kick out intruders who managed to break in?
SecureAuth is another company that’s been working on this very technology. It’s offering a system for companies to go “passwordless,” which can also spot any unusual activity on a user account.
The approach leverages an existing device many people have: smartphones built with fingerprint readers, said Keith Graham, CTO of SecureAuth.
Essentially the hardware is replacing the password. When logging on to a system, the user will receive a notification sent to their phone that can only be unlocked through a fingerprint scan. Clicking on the notification will then grant access to the system.
However, SecureAuth’s authentication process is also on the lookout for unusual behavior from the user even after logon. For instance, it’ll examine inconsistencies with the person’s keystrokes, mouse movements, where the user logged in from, at what time, along with the configuration settings on the device.
In that way, SecureAuth can assess whether someone accessing the system is possibly a hacker or not.
“It doesn’t only matter how big a lock you have on the door,” Graham said. “It’s about how quickly you can respond to remove the attacker from the environment.”
In the future, authentication systems may very well act more like “fraud detectors,” said David Mahdi, an analyst with research firm Gartner. Tech companies are aggregating so much data about their users, they’ll be able to notice suspicious activity from normal behavior, and boot out suspected bad guys.
“The more data points you can look at, the better," he said.
Companies including Google and Microsoft are also developing better authentication systems that rely on other biometrics such as facial recognition or even how a person walks. So it’s maybe only a matter of time before these technologies become more available and displace the password.
However, one major obstacle is getting the industry behind the same standards on authentication, Mahdi said. Many enterprises are also using legacy systems that they fear will break if upgraded.
"A lot of laptops have fingerprint readers," he said. "But all the organizations that I talk too aren't using them, because the laptops have a specific driver, and I've heard its a nightmare to push out updates to them."
It's also true that any biometric system, such as fingerprint and voice, might have drawbacks. For example, what if your phone runs out of battery, or if you're in an extremely loud area?
“They all have their pros and cons,” said Mahdi. “There’s not one method to rule them all."
Nuance Communications said its own system isn't perfect. For instance, its voice biometric technology will have trouble working with people who have laryngitis or other throat-related illnesses.
However, the company says its solutions is an improvement over passwords, which users often forget. Nuance's product can also be combined with other technologies for two-factor authentication.
"You could have two separate biometrics," Beranek said. "It could be fingerprint."