Multi-Factor Authentication and Voice Biometrics

Learn how to leverage voice biometrics within your multi-factor authentication (MFA) strategy.

Image Description

Authentication Techniques Are Changing

Authenticating computer users has grown more challenging due to increased and widespread activity among fraudsters who are working to steal valuable information, empty bank accounts, and maliciously damage computer systems. Historically, the answer was generally to require more complex passwords. This approach limited the authentication process to one factor and only succeeded in making the login process more difficult for end users. Rarely did this approach make password hacking any less difficult for fraudsters and their hacking techniques.

The ideal solution will achieve higher security while at the same time reducing the complexity of the authentication process for the normal user. Newer techniques attempt to get closer to this ideal.

One prevalient approach today is to leverage Two-Factor Authentication (“2FA”) and Two-Step Authentication systems, explained in greater detail below. Although superior to a single factor, 2FA and 2-Step approaches nevertheless are vulnerable, especially to "friendly fraud" committed by close family members, friends, and co-workers.

Today, the latest solutions being advocated go beyond 2FA and Two-Step solutions, and are more generally referred to as Multi-Factor Authentication ("MFA") solutions. With these solutions, 3 or more factors are typically employed in concert to further strengthen security, while minimizing end user inconvenience as much as possible. The remainder of this document provides background information on current approaches and then discusses a strategy for robust MFA solutions that utilize voice biometrics.

Multi-Factor Authentication - Why Now?

It is widely accepted by security experts across the globe that the best authentication solutions leverage factors from each of the following three categories:

  • Something you know, such as a shared secret (i.e., "what was your favorite place to vacation as a child?"). This is also referred to as Knowledge-Based Authentication (“KBA”).
  • Something you have, such as a driver's license or cell phone. Possessing something unique that no one else can possess helps to establish identity.
  • Something you are, such as a biometric. This can include: fingerprints, iris scans, voiceprints, etc. Physical attributes such as these can be measured, stored, and then re-measured and compared at a later time to establish identity.

Many people don't realize that much of the fraud that is routinely committed is "friendly fraud". Your close family members and friends have access to the "somehthing you have" factor, and they often also know the "something you know" factor. By adding a biometric (third) factor, even close family and friends are unable to authenticate as you. For this reason, MFA solutins are considered a significant step beyond 2FA and Two-Step authentication solutions. And while not every authentication scenario calls for MFA, they are increasingly becoming standard practice for many IT organizations.

Use of a Single Factor is Weak

The most common and least costly authentication method is the use of a user id and password. Passwords are a form of KBA that theoretically only you should know. Unfortunately, passwords are vulnerable to social engineering, and are often exposed on sticky notes out of ignorance or laziness.

Passwords are ultimately weak because they can routinely be compromised by fraudsters using social engineering and/or brute-force attacks. So, companies are requiring additional factors to strengthen the process of proving identity. One method is to extend the use of KBA. Companies like Equifax and Experian specialize in capturing historical information about you. As a result, they can build up a series of questions related to your history that other people are not likely to know, such as an address where you lived when you were younger, or the make of your first car. Or, companies may require you to provide answers to secret questions, like your favorite movie, that you would then respond to at a later time to verify your identity.

Stronger forms of KBA helps, but it remains vulnerable to other people knowing your historical information or knowing answers to secret questions. Plus, have you ever forgotten an answer to one of your secret questions when the questions were opinions and preferences? Unless the preference is strong and permanent, answers are easy to forget. And your history is not that difficult to research given the availability of public records online. For some applications, such as online learning, student cheating would be rampant with only KBA because a student could easily provide the secret answers to a surrogate test-taker. Furthermore, if a contact center needs to authenticate you using your secret questions, you expose those answers to the call center agent. With 40% turnover in the call center profession, that may not make you feel secure.

Increase Strength with a Second Factor

To address the weakness of KBA, the logical next step is to add a “something you have” or “something you are” factor. Relative to high security systems, many of these techniques have been deployed for years. For example, nuclear weapon sites deploy retinal scanners plus other biometrics. And many Information Technology departments buy security tokens and give them to their employees. One form of token has a constantly changing password on the token device. Entering the current password at the time of authentication proves the person logging in has possession of the token at that time. Presumably, the holder of the token would have declared it stolen otherwise.

However, purchasing tokens and keeping track of them creates expense and operational overhead. Plus, the token could be lost or stolen with the loss going unreported for a period of time. For consumer-oriented scenarios, giving out and managing millions of tokens is not economically or logistically feasible. In recent years, a new option emerged. The invention and subsequent widespread adoption of smartphones has enabled a security token that no longer requires special-purpose hardware.

Smartphones Emerge as a Factor

Consumers generally keep their smartphones close. According to a 2015 study conducted by Bank of America, as many as 71% of people sleep with their smartphones. And, if a consumer's smartphone gets lost or stolen, they are very likely to call the carrier and have the service discontinued on the old phone and turned on for a new phone. Therefore, for many people, a mobile phone is a logical “something you have” factor for authentication.

One approach is to simply send a text message or place an outbound call to the smartphone. The text may be a secret passcode that has to be entered into a screen when trying to login to a web page, for example, or send a transfer of money in an online banking screen.

Strictly speaking, this is considered a 2-Step Authentication rather than a Two-Factor Authentication (click here to see a diagram showing the differences). Why? Because the service would still work even if you did not have possession of that particular phone. For example, you may have your phone number forwarded to another phone or routed through an SMS messaging service not tied to a mobile device. (Landline phones can now support SMS services when properly configured). Authentication via a text message requires a second piece of knowledge, the additional passcode, regardless of whether you got the information through the text channel or not. Because authentication could happen without that particular phone device, the phone is not a true 2FA factor in this scenario. However, for many situations, a company may decide to consider texts and phone calls to a mobile device as a “good enough” approximation of a true 2FA factor and be satisfied with 2-Step Authentication. This is a question of risk management.

On the other hand, precisely because SMS messages can be intercepted, in 2016 the National Institute of Standards declared that authentications using SMS are deprecated as a two-factor process (click here for details). To achieve true 2FA with a mobile phone, it is necessary to install special software on the device. This software uses a certificate that positively identifies the device. The software can then generate passwords similar to a security token (thus additionally proving the time of authentication) or prove its identity by exchanging certificate information. This is the approach companies like Google and Apple deploy. The only way to break this factor is to steal or otherwise have possession of the actual device.

For consumers or employees logging into web pages or speaking with a contact center, the special app on the mobile phone becomes a provisioning and support issue, as well as an inconvenience to the user. And of course, imagine the scenario where your phone is stolen and a company is forced to fall back on using only KBA because you no longer have possession of your second factor. This is exactly the scenario a fraudster may induce in order to make you vulnerable.

Voice Biometrics Increases Security

Advances in sensors and computing power have now made it possible for “something you are” to become a regular part of the authentication process. For example, smartphones with fingerprint sensors and facial recognition make life easier for everyday phone use. However, most biometric sensors require a hardware device sensing or scanning some part of your body, whether your fingers, your face, your retinas, your gait, or your typing. The one biometric that is convenient to use remotely and also leverages equipment that is readily available is one’s voice.

Well-designed voice biometric applications deliver effective accuracy and adaptable levels of security. They can also be active or passive, meaning that the user may not be aware the voice biometric analysis is taking place, particularly useful for fraud detection. And voice biometrics works well over a telephone, whether a smartphone, flip phone, or landline phone. This means that voice biometrics is a flexible and accessible second or third factor for authentication with no added special equipment or operational management of the equipment required.

As a result, voice biometrics provides a powerful, readily-available, and cost-effective deterrent to fraud and corruption. Consider, for example, the ease which an IT analyst can manipulate information in a government database. Audit trails will track the analyst's activities, but what if the analyst's credentials were stolen or compromised? What other way is available to confirm identity without the inconvenience and expense of special equipment or as an additional factor for especially sensitive information? Here is one possible answer using VBG technology:

  • Analyst logs into system
  • Analyst performs routine functions
  • Analyst requests to perform sensitive transaction to update asset information
  • Voice bio system calls analyst at the prescribed number
  • Computer system displays a random set of four or five numbers on screen
  • Analyst must speak the numbers and have a voice match in order to proceed
  • Analyst can be allowed to retry if a failure occurs due to audio quality
  • System may optionally request another set of random numbers as extra protection

The following video shows this process in a configuration suitable for a Proof-Of-Concept. It uses Cloud resources to quickly enable a trial configuration. If satisfactory, it is then straightforward to continue using Cloud resources or move some or all of the components into your own data center.


Furthermore, you can adapt these concepts to suit your environment. For example, you can change the following:

  • Capture audio directly through the workstation rather than the mobile phone, thus eliminating the IVR
  • Use our Mobile SDK to enable a mobile application to collect the audio, thus eliminating the IVR
  • Put the primary intelligence of your biometric application into a mobile application

Please contact VBG for further information about how to apply voice biometrics for Multi-Factor Authentication in your environment.

Want to Read More?

All Documents in this Series

Click on the title of the document you want to read next

Contact Us

Do You Have Any Questions?

Please let us know how we can help you and we'll respond promptly!

Image Description