Voiceprint Recognition System

Discovered one of our investment firms has voiceprint recognition for authentication when calling in. How cool would this be if every website login supported, “yes it’s me”. No more typing username/password, password managers, QRcode scanning, hardware keys, MFA?

from their FAQs

What is a Voiceprint?
A voiceprint is a digital representation of characteristics in your voice, such as pitch and accent. It is a digital combination of behavioral and physical patterns in your voice and is not a recording of what you are saying. Voiceprints are unique to each individual.

How does Voiceprint work?
As you speak with one of our customer service representatives, your unique voiceprint is created from more than 100 different physical and behavioral characteristics such as pitch and accent. Once your voiceprint is created, we can use your voice to quickly verify it’s you and reduce the need for you to answer additional security questions every time you call.

Is it secure?
Yes. Our technology is a secure way of verifying callers. Unlike passwords or PINs, your voiceprint can’t be guessed. It is also not a recording and can’t be used to gain access to any other system or to create a sound recording of your voice.

What if someone else tries to imitate my voice? Could someone use a recording of my voice to pose as me?
No, our technology is designed to safeguard against voice recordings and will reject any caller whose voiceprint does not match yours. Your voiceprint is a combination of both the physical and behavioral characteristics of your voice, which is not accessible within a recording.

What if I’m sick or have a cold? What if my voice changes over time? Will it still recognize me?
Yes. Our technology will still be able to recognize you if you have a cold or other illness that may alter the tones and pitches of your voice. It can also recognize subtle changes in your voice over time.

What happens if my Voiceprint is not recognized?
If we are unable to verify your identity through your voiceprint, we will verify it by asking you security questions. You will still be able to access your account.

1 Like

We use an MFA solution that offers phone call authentication in addition to SMS, push notifications, and TOTP codes. It doesn’t do voiceprint recognition, but a phone call is still involved. I don’t think we’ve had a single use opt to use it instead of push notification or SMS. The tech behind the voiceprint seems impressive but IMO a phone call is disruptive. I’d prefer to just enter my TOTP code or scan the SQRL login.

It’s important that they don’t allow too many retries before lockout. HSBC introduced it but didn’t lock it down tightly enough, and a BBC reporter was able to get into his brother’s account by mimicking his voice, although it took eight tries:

Edit: it was the brother who mimicked the reporter’s voice. Same problem.

Using the microphone on mobile or portable devices would seem to be non-disruptive?

Anyone can find biometric authentication breach stories but if this chart is creditable, it would appear voiceprint is top in class.

As per the United States National Biosignature Test Center at San Jose University, “Fundamentals of Biometric Technology,” below is a quick comparison of types of biometrics signatures based on various factors:
“ScreenCapture” 2019-12-27 at 11.13.39 AM

That’s a fair point, I assumed a phone call would be involved. I still prefer not to speak to electronics unless they can intelligently speak back.

1 Like

I would counter that by receiving a successful login after submitting my voiceprint. Seems like a similar experience with voice assistants however nowhere close to a voiceprint authentication system.

This is as absurd as submitting to a DNA scan for convenience at airports, in my book. A more expedient hand-shake for tokens is far preferable, IMO, for a host of reasons. A phone call is a lot slower and less convenient than a Yubi-Key button-tap, for example. Just because some want “alternatives” doesn’t mean the trade-off’s of a given one are anywhere near worthwhile or proportionate. File also with free products and social media.

1 Like

I have some experience of voice biometrics in the financial services industry. It is used as an additional indication of whether the person is who they say they are not not just somebody who has managed to phish their account details. Its not used as an authentication factor but it can be used to let get the agent know they they have perform to some additional authentication. Often a person having a cold or a sore throat can make a big difference so its not accurate enough yet in my experience for to be an authentication factor in isolation.

1 Like