Earlier this week, Gregg Stefancik, an engineer at Facebook stated “I hate biometrics.” Naturally, I had to respond to such a strong and provocative statement. I love biometrics. More specifically, I love voice biometrics. If you follow my blog, you’ll know that the reason why I love voice biometrics is that it has proven to be far more effective and convenient of an authentication method than passwords, PINs and security questions. And I don’t just think so – the data actual says so. Financial institutions all over the globe, such as Banco Santander Mexico, Barclays Wealth & Investment Management, TD Waterhouse, U.S. Bank, and Vanguard just to name a few, have realized the benefits of voice biometrics such as increased customer satisfaction, decreased operating costs and a significant reduction in fraud. Beyond financial institutions, that first deployed voice biometrics in their most secure use cases (e.g. wire transfer service), voice biometrics is now being adopted beyond the financial industry in telecom, insurance and beyond.
So why then is there still any argument against biometrics? For most people, the term “biometrics” is equated to fingerprinting and iris scans. With these two forms of biometric authentication, the issue of your fingerprint and your iris being static and unchanging, i.e. you lose control of being able to change your security credential if there is a breach, is often raised as a gating factor for wide adoption. Voice biometrics is not afflicted by this problem, because unlike fingerprint or iris, which again are static biometric credentials, voice biometrics is a dynamic biometric credential. What is the difference? A static biometric is unchangeable. A dynamic biometric can be changed. Your fingerprint is static, meaning that you can’t change it. Most of us have ten fingers, so there is a small amount of variability that is possible: if you enroll your right index finger to authenticate into a system, and a hacker compromised your fingerprint, you could enroll another finger. But at the end of the day, you have a maximum of ten possible credentials with fingerprint biometrics. With iris, that number drops down to two. With voice biometrics, you have an infinite amount of possible voiceprints. Let’s say that you have the following voiceprint to authenticate into your Facebook account: “My voice is my password at Facebook.” Should a malicious individual record you saying this passphrase, you could revoke this credential and create a new one where you say “At Facebook, my voice is my password.” You can easily see how there are an infinite amount of possibilities with voice, and so it’s important not to lump all biometric technologies into the same boat. Irrevocability is only an issue with static biometrics.
Another issue that was addressed in the recent “I hate biometrics” article is the massive password breach at eBay. “Had those passwords been biometrics, users would be left in the lurch.” The fact is that if those passwords had been voiceprints, there would have been no security issue at all.. Voiceprints are of no value to a hacker, as they can’t be used to authenticate into a system (unlike passwords). A massive security breach like we see on a regular basis with passwords is simply not possible with voice biometrics. The reason for this is simple: the only input to a voice biometric system is a person’s voice. A voiceprint is not a person’s voice but rather is a set of alphanumeric values that represent a large set of characteristics of an individual’s voice. The voiceprint is not the key to the castle, your voice is. Voices are not stored in a centralized database, voiceprints are. If we want an end to massive credential breaches, the solution is voice biometrics.
The article went on to mention that a lot of research showed that biometrics could be easily spoofed. Although spoofing is a possibility, with voice biometrics there are a number of anti-spoofing technologies that minimize this risk. The risk of spoofing is far lower than a hacker compromising a password, or someone stealing your phone. Anti-spoofing capabilities include playback detection algorithms that detect voice recordings, liveness detection, change in speaker detection and synthetic speech detection. No security system is infallible, but out of all of the authentication options currently available on the market, voice biometrics is clearly one of the most secure. See the report by Opus Research that compares the risks of voice biometrics vs. passwords and OTP tokens.
So from a security standpoint, voice biometrics is more secure than passwords, OTP, KBA, etc. And, yes, it delivers phenomenal value to the enterprise, as showcased by the aggressive ROIs reported by a number of organizations that have deployed it. But my love for voice biometrics is a love of the experience. It enables an end-to-end speech experience that is convenient and easy. It allows technology to know who I am in the most natural way. Combined with a virtual assistant, for example, I can say “My voice is my password” followed by “Update my Facebook status to I love voice biometrics.” I can have a secure, natural interaction with technology, like I would have with a human. And that is a beautiful thing.