Citrix, a company which works with the likes of the FBI and US military, recently hit the headlines when it fell victim to hackers. The cyber criminals allegedly used a technique called password spraying, which exploits weak passwords. This is just one example of why the traditional username and password combination is no longer fit for purpose, in both our personal and business life.
The problem with traditional password systems is not with the concept of the username and password combination. Rather, it is that the system relies on the weakest part in any infosecurity chain: the human.
Historically, this method has worked because it effectively created a two-factor form of authentication, as people would require a physical token, such as a bank card, and their password. However, in the digital world, no token is required, and people often tend to opt for simple passwords, or variations of the same one across multiple platforms. This leaves the door open for hackers to use techniques which exploit weak passwords – just as we’ve seen in the Citrix hack.
However, advancements in biometric technology means that weak passwords will be a thing of the past, replaced by a far more secure method of authentication: our voice.
Are all biometric systems as secure as each other?
Businesses are already realising the potential of biometric technology as a secure form of authentication. HSBC, for example, already allows its customers to authenticate itself with their voice by simply stating “My voice is my password.” During the call, the spoken phrase is mapped against a previously created voice print recording of the user’s voice and analysed to ensure that the caller’s voice matches.
This form of authentication is much more difficult to exploit when you compare it to the username and password combination. However, it’s important to remember that not every biometric authentication system is created equal.
Voice biometrics, fingerprints and facial recognition, all come with their own advantages and disadvantages. While there has been some backlash against facial recognition technology, which is also possible to trick with high-resolution images – it’s also perfectly possible to “clone” someone’s fingerprint to break into their device even though the technology enjoys widespread adoption.
In light of these weaknesses, the most reliable and practical way to authenticate users could be voice biometrics.
Why voice is the answer?
From a security and anti-fraud perspective, voice biometrics offer a number of key benefits. ‘Active’ identification using recorded quotes can be used, such as stating ‘My voice is my password’. The authentication can happen ‘live’ – during a natural language non-scripted interaction – safeguarding against people operating under fake identities on the other end of the line. The solution is, therefore, very difficult – if not nearly impossible – to hack. Since there are no set phrases that are required in the natural language processing conversation that could be pre-recorded, it is incredibly difficult for a fraudster to gain access to someone’s account or profile by fraudulently recording their voice.
Advances in Artificial Intelligence (AI), also enable the intention and emotion of a caller to be identified, which can help highlight people who are calling under duress. It can even enable us to recognise the voice-print of known fraudsters and identify them in real-time.
Another important point is that with voice biometrics, there is no need for the user to share any personal or confidential data to be authenticated – as their voice sample is all that matters.
Of course, one of the major selling points of voice biometrics is that it doesn’t rely on the user remembering a password or having a physical token to hand. The technology can recognise speech patterns and modulations that are impossible for even the best impressionist to mimic.
Hacks like the recent Citrix breach show that the traditional username and password model is no longer fit for purpose. We will see ‘voice’ as a mode of authentication increase rapidly in the coming years, as businesses increasingly realise the security benefits.
However, this does not mean that the ‘password’ is completely dead. Security-conscious industries such as banking, may look to combine voice with other methods of two-factor authentication such as tokens and – yes – passwords where appropriate.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.