In an effort to leave passwords behind, Barclays has begun offering voice authentication for phone banking to all...
its retail banking customers in the United Kingdom.
The biometrics technology depends on customer voiceprints built up over the course of at least two phone calls with the bank.
The multinational bank and financial services company, headquartered in London, has been testing voice biometrics for a limited number of customers since 2013. In its announcement, the company stated, "Passwords will no longer be needed, because each voice is as unique as fingerprint."
"Barclays is constantly looking at ways to improve services for customers and make it easier for them to get things done quickly; this is the perfect example of technology that does exactly that," said Steven Cooper, CEO of personal banking at Barclays, in a press statement. "There's no need for customers to change how they bank with us, or in fact do anything differently at all -- just continue to use telephone banking in the same way. We're committed to providing options so that our customers can choose how they want to bank with us, and this is the latest iteration of that promise."
To register for its voice biometrics authentication program, Barclays said customers must call its telephone banking service, which initiates the creation of the digital voiceprint. "Once Barclays has collected a sufficient voiceprint over the course of multiple phone calls -- approximately three -- customers can opt to use voice security technology, rather than a password, to identify themselves."
Barclays' voice authentication system depends on voiceprints that are "made up of over 100 unique characteristics, which are based on the physical configuration of a speaker's mouth and throat."
The voice biometrics technology Barclays is using is supplied by Nuance Communications Inc. Another London-based multinational bank, HSBC, is offering a voice authentication program this summer to retail customers.
Voice biometrics: Pros and cons
While Barclays' voice authentication system is notable, experts said this kind of biometric technology -- and the concerns around it -- has been in use for some time. "Voice has been around awhile," said Brendon Wilson, director of product management at Nok Nok Labs Inc., the authentication software vendor headquartered in Palo Alto, Calif. "When you call into a call center, there is a good possibility that your voice is being evaluated for antifraud purposes."
The problem with using voice biometrics for authentication is the same as with fingerprints or any other physical attribute. As Graham Cluley, the independent security adviser, noted in a blog post, "if my 'voice print' [sic] ever gets compromised (and we've seen that happen with fingerprints before), I don't have an option of changing it. But I can change a password any time [sic] I like."
"The biometric matching done by U.K. banks is typically performed on a server where you would have a large database of voiceprints," Wilson told SearchSecurity by email. "One issue with all server-side biometric matching is the possibility that the central database gets compromised. A centralized database of biometric information is a prime target for compromise, as the U.S. Office of Personnel Management and the Philippine Commission on Elections found out when they lost millions of fingerprint records."
Wilson said when authentication is done by matching biometric measurement against a server-based system, "the biometric comparison happens on a remote server against a database of biometric templates; in essence, this approach replaces the password with the biometric -- voice, face -- and, hence, doesn't significantly change the security of the solution. As many in the security industry are quick to point out, you can't reset your voice once it's been stolen -- that's a real risk when you're only performing a server-side check."
But "properly designed client-side biometrics," Wilson said, such as Apple Touch ID or FIDO Alliance-certified devices, maintains the actual biometric data on the device.
"Possession of a recording of the user's voice -- or face, or fingerprint -- is not enough to compromise the system; an attacker needs both the user's device and the ability to bypass the client-side biometric check."
However, Brett Beranek, director of product strategy for voice biometrics at Nuance, described the top three attack vectors against voice biometrics in a blog post last year: brute-force attacks, recording attacks and synthetic speech attacks.
With brute-force attacks, the malicious actor repeatedly attempts to use their own voice to unlock accounts; if the attack fails, they try a different account. The defense against this type of attack, Beranek wrote, is to flag when the same voice is detected attempting to authenticate multiple accounts, and add that voice to a fraudster blacklist.
Attackers using audio recordings of a legitimate account holder can be addressed by detection of audio anomalies that are the byproduct of the recording and playback process -- as well as by using liveness tests, in which the account holder is prompted for a random phrase that is unlikely to have been prerecorded by the attacker. Synthetic speech attacks can be defeated by using synthetic speech detection algorithms that can detect voices that have been created or modified by software.
The voice biometrics in use at Barclay may be reliable, as long as legitimate users' voiceprints can be matched to their stored voiceprint. Lucy Hopkins, vice president of media relations for personal banking at Barclays, said in an email to SearchSecurity: "If we are unable to establish a match to the voiceprint, then our standard verification methods will be used to allow customers to access their account."
Cluley noted this fallback to "standard verification methods" means "all a criminal has to do is call up from somewhere with a lot of noise in the background, or pretend to have a blocked up nose, and they'll revert to good old-fashioned passwords anyway."
Find out more about the Fast Identity Online Alliance, and using password-free authentication.
Learn more about the origins of Barclays' voice print authentication program.