James Thew - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Barclays replaces passwords with voice authentication

Barclays is offering U.K. retail banking customers the option to do voice authentication instead of using passwords, with voiceprints that are as unique as fingerprints.

In an effort to leave passwords behind, Barclays has begun offering voice authentication for phone banking to all its retail banking customers in the United Kingdom.

The biometrics technology depends on customer voiceprints built up over the course of at least two phone calls with the bank.

The multinational bank and financial services company, headquartered in London, has been testing voice biometrics for a limited number of customers since 2013. In its announcement, the company stated, "Passwords will no longer be needed, because each voice is as unique as fingerprint."

"Barclays is constantly looking at ways to improve services for customers and make it easier for them to get things done quickly; this is the perfect example of technology that does exactly that," said Steven Cooper, CEO of personal banking at Barclays, in a press statement. "There's no need for customers to change how they bank with us, or in fact do anything differently at all -- just continue to use telephone banking in the same way. We're committed to providing options so that our customers can choose how they want to bank with us, and this is the latest iteration of that promise."

To register for its voice biometrics authentication program, Barclays said customers must call its telephone banking service, which initiates the creation of the digital voiceprint. "Once Barclays has collected a sufficient voiceprint over the course of multiple phone calls -- approximately three -- customers can opt to use voice security technology, rather than a password, to identify themselves."

Barclays' voice authentication system depends on voiceprints that are "made up of over 100 unique characteristics, which are based on the physical configuration of a speaker's mouth and throat."

The voice biometrics technology Barclays is using is supplied by Nuance Communications Inc. Another London-based multinational bank, HSBC, is offering a voice authentication program this summer to retail customers.

Voice biometrics: Pros and cons

While Barclays' voice authentication system is notable, experts said this kind of biometric technology -- and the concerns around it -- has been in use for some time. "Voice has been around awhile," said Brendon Wilson, director of product management at Nok Nok Labs Inc., the authentication software vendor headquartered in Palo Alto, Calif. "When you call into a call center, there is a good possibility that your voice is being evaluated for antifraud purposes."

The problem with using voice biometrics for authentication is the same as with fingerprints or any other physical attribute. As Graham Cluley, the independent security adviser, noted in a blog post, "if my 'voice print' [sic] ever gets compromised (and we've seen that happen with fingerprints before), I don't have an option of changing it. But I can change a password any time [sic] I like."

"The biometric matching done by U.K. banks is typically performed on a server where you would have a large database of voiceprints," Wilson told SearchSecurity by email. "One issue with all server-side biometric matching is the possibility that the central database gets compromised. A centralized database of biometric information is a prime target for compromise, as the U.S. Office of Personnel Management and the Philippine Commission on Elections found out when they lost millions of fingerprint records."

Wilson said when authentication is done by matching biometric measurement against a server-based system, "the biometric comparison happens on a remote server against a database of biometric templates; in essence, this approach replaces the password with the biometric -- voice, face -- and, hence, doesn't significantly change the security of the solution. As many in the security industry are quick to point out, you can't reset your voice once it's been stolen -- that's a real risk when you're only performing a server-side check."

But "properly designed client-side biometrics," Wilson said, such as Apple Touch ID or FIDO Alliance-certified devices, maintains the actual biometric data on the device.  

"Possession of a recording of the user's voice -- or face, or fingerprint -- is not enough to compromise the system; an attacker needs both the user's device and the ability to bypass the client-side biometric check."

However, Brett Beranek, director of product strategy for voice biometrics at Nuance, described the top three attack vectors against voice biometrics in a blog post last year: brute-force attacks, recording attacks and synthetic speech attacks.

With brute-force attacks, the malicious actor repeatedly attempts to use their own voice to unlock accounts; if the attack fails, they try a different account. The defense against this type of attack, Beranek wrote, is to flag when the same voice is detected attempting to authenticate multiple accounts, and add that voice to a fraudster blacklist.

Attackers using audio recordings of a legitimate account holder can be addressed by detection of audio anomalies that are the byproduct of the recording and playback process -- as well as by using liveness tests, in which the account holder is prompted for a random phrase that is unlikely to have been prerecorded by the attacker. Synthetic speech attacks can be defeated by using synthetic speech detection algorithms that can detect voices that have been created or modified by software.

The voice biometrics in use at Barclay may be reliable, as long as legitimate users' voiceprints can be matched to their stored voiceprint. Lucy Hopkins, vice president of media relations for personal banking at Barclays, said in an email to SearchSecurity: "If we are unable to establish a match to the voiceprint, then our standard verification methods will be used to allow customers to access their account."

Cluley noted this fallback to "standard verification methods" means "all a criminal has to do is call up from somewhere with a lot of noise in the background, or pretend to have a blocked up nose, and they'll revert to good old-fashioned passwords anyway."

Next Steps

Find out more about the Fast Identity Online Alliance, and using password-free authentication.

Read about the risk of fingerprint records exposed through the OPM breach.

Learn more about the origins of Barclays' voice print authentication program.

Dig Deeper on Biometric technology

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you believe voice biometrics can be sufficiently resistant to attack for retail banking customers? Why or why not?
Certainly not.  The reason is very clear as illustrated in this video.  
So, in other words, having the system rollback to traditional password/userID means that it is even more vulnerable to attack:
  • Cluley noted this fallback to "standard verification methods" means "all a criminal has to do is call up from somewhere with a lot of noise in the background, or pretend to have a blocked up nose, and they'll revert to good old-fashioned passwords anyway."
No. I have seen a few tech shows where they test out bio-metric  security and they all failed. Some took a little longer to get around but nothing was fool proof.
Of course everyone knows that biometrics are the solution for the future. Unfortunately, everyone also knows that the future hasn't arrived yet. We still haven't figured out how to make our data secure and accessible at the same time. Until we solve that it seems that every solution will fail.
My question would be if you had a real bad cold or laryngitis, would it still recognize you or would you be locked out of your account until you were well ? 
Good question ToddN2000. I'd also wonder if a really good recording of my voice would work as well as my voice. Is the technology so advanced that this will work over POTS lines? Our record of ironclad security hasn't been very good until now. Why can I trust this now...? 
Also look at the great impersonators and comics we have seen over the years. Because they impersonate celebrities, the celebrity  would have much more to lose in their account than the average person. Recordings as well. Would a good audio specialist with good equipment be able to piece together an access word from bit and pieces of recorded media?