Multi-Factor Authentication That Leverages Voice Biometrics

Authenticating computer users grows more challenging as fraudsters attempt to break into computer systems to steal valuable information, fraudulently drain bank accounts, and maliciously damage computer systems. How can Information Technology organizations possibly combat this escalating threat? To date, the answer has generally been requiring more complex passwords. But that in turn results in more onerous processes and difficulty for the normal user while not necessarily making computer-generated attacks less effective[source]. The ideal solution will achieve higher security while at the same time reducing the complexity of the authentication process for the normal user.

The current attempt at achieving a more ideal solution consists of Two-Factor Authentication (“2FA”) and Two-Step Authentication systems, explained in greater detail below. These are coming into common use at a consumer level. Although superior to a single factor, the two-factor approaches nevertheless are vulnerable, especially to insider fraud. The solution in the coming years goes beyond today’s two-factor and two-step solutions, more generally referred to as Multi-Factor Authentication, or “MFA” for short. The remainder of this document provides background information on current approaches and then discusses a strategy for robust MFA solutions that impose minimal impedance to the login process for normal users.

Potential Factors In Multi-Factor Authentication

It is well accepted among all security experts that authenticating a person’s identity requires evidence from one of three categories:

  • Something you know, also referred to as Knowledge-Based Authentication (“KBA”), that ideally only you know
  • Something you have, commonly referred to as a security token, a “thing” that is verified to be in your possession; thus having possession of the token proves your identity
  • Something you physically are, such as a fingerprint or voiceprint, that can be measured, stored, and then measured and compared at a later time to prove your identity

Single-Factor Is Weak

The most common and least costly authentication is a password. It is a form of KBA. Only you should know your password. That’s in theory, of course. Passwords are weak, highly vulnerable to social engineering and often exposed on sticky notes out of ignorance or laziness.

Passwords are ultimately weak because they are compromised by fraudsters using social engineering as well as brute-force guessing methods. Thus, companies are using additional factors from all three authentication categories to strengthen the process of proving identity. One method is building on KBA. Companies like Equifax and Experian specialize in capturing historical information about you. As a result, they can build up a series of questions related to your history that other people are not likely to know, such as an address where you lived when you were younger. Or a company may require you to provide answers to secret questions, like your favorite movie, that you would then respond to at a later time to verify your identity.

Strong KBA helps. But it remains vulnerable to other people knowing your historical information or knowing answers to secret questions. Plus, have you ever forgotten your answer to the secret questions when the questions were opinions and preferences? Unless the preference is strong and permanent, answers are easy to forget. And your history is not that difficult to research given the availability of public records online. For some applications, such as online learning, student cheating would be rampant with only KBA because a student could easily provide the secret answers to a surrogate test-taker. Furthermore, if a contact center needs to authenticate you using your secret questions, you expose those answers to the call center agent. With 40% turnover in the call center profession, that may not make you feel secure.

Increase Strength With A Second Factor

To address the weakness of KBA, the logical next step is to add a “something you have” or “something you are” factor. For high security systems, these have been deployed for many years. For example, nuclear weapon sites deploy retinal scanners plus other biometrics. And many Information Technology departments buy security tokens and give them to their employees. One form of token has a constantly changing password on the token device. Entering the current password at the time of authentication proves the person logging in has possession of the token at that time. Presumably, the holder of the token would have declared it stolen otherwise.

However, buying the tokens and then keeping track of them creates expense and operational headaches. Plus, the token could be stolen with the theft going unreported for a period of time. For consumer-oriented scenarios, giving out and managing millions of tokens is not economically or logistically feasible. In 2007, a new option emerged. The invention and subsequent widespread adoption of smartphones has enabled a security token that no longer requires special-purpose hardware.

Smartphones Emerge As Second Factor

Consumers generally keep their smartphones close. As many as 71% of people sleep with their phones1. And if it gets lost or stolen, a consumer is likely to call the carrier and have the service discontinued on the old phone and turned on for a new phone. Therefore, for many people, a mobile phone is a logical “something you have” factor for authentication.

One approach is to simply send a text message or place a phone call to the phone. The text may be a secret passcode that has to be entered into a screen when trying to login to a web page, for example, or send a transfer of money in an online banking screen.

Strictly speaking, this is considered a Two-Step Authentication rather than a Two-Factor Authentication2. Why? Because the service would still work even if you did not have possession of that particular phone. For example, you may have your phone number forwarded to another phone or routed through an SMS messaging service not tied to a mobile device. (Landline phones can now support SMS services when properly configured). The authentication via a text message requires a second piece of knowledge, the additional passcode, regardless of whether you got the information through the text channel or not. Because authentication could happen without that particular phone device, the phone is not a true second factor in this scenario. However, for many situations, a company may decide to consider texts and phone calls to a mobile device as a “good enough” approximation of a true second factor and be satisfied with Two-Step Authentication. This is a question of risk management.

On the other hand, precisely because SMS can be intercepted, the National Institute of Standards will be declaring that authentications using SMS are deprecated as a two-factor process3. To achieve true Two-Factor Authentication with a mobile phone, it is necessary to install special software on the device. This software uses a certificate that positively identifies the device. The software can then generate passwords similar to a security token (thus additionally proving the time of authentication) or prove its identity by exchanging certificate information. This is the approach companies like Google, Duo, and Apple deploy. The only way to break this factor is to steal or otherwise have possession of the actual device.

For consumers or employees logging into web pages or speaking with a contact center, the special app on the mobile phone becomes a management hassle as well as an inconvenience. And of course, imagine the scenario where your phone is stolen and a company is forced to fall back on only KBA because you no longer have possession of your second factor. This is exactly the scenario a fraudster may induce in order to make you vulnerable.

Voice Biometrics Increases Security

Advances in sensors and computing power have now made it possible for “something you are” to become part of the authentication process. For example, smartphones with fingerprint sensors and facial recognition make life easier for everyday phone use. However, most biometric sensors require a hardware device sensing or scanning some part of your body, whether your fingers, your face, your retinas, your gait, or your typing. The one biometric that is convenient to use remotely and also leverages equipment that is already nearly ubiquitously available is one’s voice.

Well-designed voice biometric applications deliver effective accuracy and adaptable levels of security. They can also be active or passive, meaning that the user may not be aware the voice biometric analysis is taking place, particularly useful for fraud detection. And voice biometrics works well over a telephone, whether a smartphone, flip phone, or landline phone. This means that voice biometrics is a flexible and accessible second or third factor for authentication with no added equipment or operational management of the equipment required.

As a result, in the realm of administrative and operational security of computing systems, voice biometrics provides a powerful deterrent to fraud and corruption. Consider, for example, the power that an operations person has to manipulate information in a government database. Certainly audit trails track what the operator does, but what if the operator's credentials were stolen or compromised? What other way is available to confirm identity without the inconvenience and expense of special equipment or as an additional factor for especially sensitive information? One answer is the following:

  1. Operator logs into system
  2. Operator performs routine functions
  3. Operator requests to perform sensitive transaction to update asset information
  4. Voice bio system calls Operator at the prescribed number
  5. Computer system displays a random set of four or five numbers on screen
  6. Operator must speak the numbers
  7. Operator is allowed up to two retries for failures due to audio quality
  8. System may optionally request another set of random numbers as extra protection

The following video shows this process in a configuration suitable for a Proof-Of-Concept. It uses Cloud resources to quickly enable a trial configuration. If satisfactory, it is then straightforward to continue using Cloud resources or move some or all of the components into your own data center.


Furthermore, you can adapt these concepts to suit your environment. For example, you can change the following:

  • Capture audio directly through the workstation rather than the mobile phone, thus eliminating the IVR
  • Use our Mobile SDK to enable a mobile application to collect the audio, thus eliminating the IVR
  • Put the primary intelligence of your biometric application into a mobile application

To take action on a Proof-Of-Concept or to discuss how to apply voice biometrics for Multi-Factor Authentication in your environment, Contact Us.

1http://newsroom.bankofamerica.com/files/doc_library/additional/2015_BAC_Trends_in_Consumer_Mobility_Report.pdf

2 https://paul.reviews/the-difference-between-two-factor-and-two-step-authentication/

3https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/