ra2 studio - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is Barclays' phone banking biometric authentication system secure?

Barclays now uses a biometric authentication system for phone banking customers, where 'voice prints' can replace passwords. Expert Michael Cobb explains the security risks.

UK financial services firm Barclays has begun rolling out a customer voice recognition system for phone banking...

in hopes of replacing passwords. Can a biometric authentication system that relies on voice prints over the phone work? What are the risks and concerns for a voice recognition system like this?

Biometrics has long been promoted as the best way of overcoming the vulnerabilities associated with passwords. People tend to choose simple passwords, share them and reuse them across multiple accounts. According to a poll commissioned by HSBC, more than one-third of U.K. consumers use the same password across most of their online accounts and more than half rarely update their passwords. They also forget them, and password resets are an inconvenience to users and can cause maintenance overheads for administrators. Passwords are easily compromised too, through phishing attacks, brute force, device loss or theft, keyloggers, insider abuse or attacks on cloud service providers' systems.

To tackle the security weaknesses associated with passwords and to also improve the user experience, many financial institutions are beginning to introduce biometric verification systems. Research by Visa Europe found that 16 to 24 year olds would rather use biometric authentication system security than PINs and passwords, and generally feel more confident in biometric methods of authentication. Barclays Bank has been testing voice biometrics for some years and is rolling out a voice recognition system for its telephone banking customers. When customers call its telephone banking service, it will create a digital voiceprint based on their unique formation of words. Once it has collected a sufficient voiceprint over two or three phone calls, customers can begin to use their voice, rather than a password, to identify themselves.

The technology being used by Barclays to match customers' voices with their voiceprint can filter out background noise, detect voice recordings and is not thrown out by temporary changes to a voice due to a blocked nose or sore throat for example. Each voiceprint will be made up of over 100 unique characteristics such as pronunciation, emphasis, speed of speech and accent, as well as the influences of physical elements of a person's mouth and throat like the length of the vocal tract, and the shape and size of the mouth and nasal passage. Even though an impressionist may be able to fool the human ear, they can't mimic all of these characteristics.

Voice recognition will offer a quick and easy way for customers to identify themselves most of the time, but if the system can't establish a match to a voiceprint, it has to fall back on standard verification methods like a PIN, password or some other knowledge-based authentication factor, the very things a biometric authentication system tries to replace. There is a good explanation by Hitoshi Kokumai of why the overall vulnerability of a biometric authentication system using a fallback password is greater than one using only a password; simply put, it has a larger attack surface. Mathematically this may be true but in practice in the real world it may prove to be more secure -- Barclays and many other enterprises seem to think so.

The other unknown about using a biometric authentication system where the matching takes place on a server, is what happens when the central biometric template database gets compromised. Users don't have the option of changing their voice, face or fingerprint like they can a password. The U.S. Office of Personnel Management discovered that of the 21.5 million individuals who had sensitive information stolen in the 2015 data breach, approximately 5.6 million also had their fingerprint records stolen. The loss of biometric data is a threat that the security industry doesn't yet fully understand. Their misuse is only potentially limited by the fact that it's difficult for an attacker to automate the abuse of stolen biometrics in the same way they can passwords. Biometrics can certainly bring convenience and a better customer authentication experience, but time will tell if it delivers improved security over the passwords it is trying to replace. Meanwhile, financial service customers have the best of both worlds, as banks are still liable for any fraud unless they can prove that a customer was negligent.

Next Steps

Find out the benefits of using behavioral biometrics in the enterprise

Read about the next possible advancements for mobile biometrics

Learn which types of biometrics will be practical for use in your company

This was last published in November 2016

Dig Deeper on Data security breaches