Multi-Factor Authentication and Voice Biometrics

Authentication Techniques Are Changing

Fraudsters have grown quite sophisticated in their efforts to steal valuable information, empty bank accounts, and maliciously damage computer systems. Historically, the answer for password-based system was generally to require more complex passwords. This approach usually only succeeded in making the login process more difficult for end users, and rarely did it make hacking any less difficult for fraudsters and their sophisticated techniques.

Newer approaches leverage Two-Factor Authentication (“2FA”) and Two-Step Authentication systems, explained in greater detail below. And although superior to a single factor authentication system, 2FA and 2-Step approaches nevertheless are vulnerable, especially to "friendly fraud" committed by close family members, friends, and co-workers.

Today's latest authentication solutions go beyond 2FA and Two-Step solutions, and are more generally referred to as Multi-Factor Authentication ("MFA") solutions.

With MFA approaches, three or more factors are typically employed in concert to further strengthen security, while minimizing end user inconvenience as much as possible. The remainder of this document provides background information on current approaches and then introduces a strategy for MFA solutions that utilize voice biometrics.

Multi-Factor Authentication - Why Now?

It is widely accepted by security experts across the globe that the best authentication solutions leverage factors from each of the following three categories:

Something you know, such as a shared secret (i.e., "what was your favorite place to vacation as a child?"). This is also referred to as Knowledge-Based Authentication (“KBA”).
Something you have, such as a driver's license or cell phone. Possessing something unique that no one else can possess helps to establish identity.
Something you are, such as a biometric. This can include: fingerprints, iris scans, voiceprints, etc. Physical attributes such as these can be measured, stored, and then re-measured and compared at a later time to establish identity.

Much of the fraud that is routinely committed today is "friendly fraud". Your close family members and friends have access to the "something you have" factor, and they often also know the "something you know" factor.

By adding a biometric (third) factor, even close family and friends are unable to authenticate as you. For this reason, MFA solutins are considered a significant step beyond 2FA and Two-Step authentication solutions. And while not every authentication scenario calls for MFA, they are increasingly becoming standard practice for many IT organizations.

Use of a Single Factor is Weak

The most common and least costly authentication method is the use of a user id and password. Passwords are a form of KBA that theoretically only you should know. Unfortunately, passwords are vulnerable to social engineering, and are also frequently written on notes left on or near the computer.

There are other forms of KBA too. Companies like Equifax and Experian specialize in capturing historical information about you. As a result, they can build up a series of questions related to your history, such as an address where you lived when you were younger, or the make of your first car. Some other companies require you to provide answers to secret questions, like your favorite movie, that you would then respond to at a later time to verify your identity.

Stronger forms of KBA help, but these techniques remain vulnerable to other people knowing your historical information or knowing answers to secret questions.

Plus, have you ever forgotten an answer to one of your secret questions when the questions were opinions and preferences? Unless the preference is strong and permanent, answers are easy to forget. And your history is not that difficult to research given the availability of public records online. For some applications, such as online learning, student cheating would be rampant with only KBA because a student could easily provide the secret answers to a surrogate test-taker. Furthermore, if a contact center needs to authenticate you using your secret questions, you expose those answers to the call center agent. With 40% turnover in the call center profession, that may not make you feel secure.

Increase Strength with a Second Factor

To address the weakness of KBA, the logical next step is to add a “something you have” or “something you are” factor. Relative to high security systems, many of these techniques have been deployed for years. For example, nuclear weapon sites deploy retinal scanners plus other biometrics.

And many Information Technology departments buy security tokens and give them to their employees. One form of token has a constantly changing password on the token device. Entering the current password at the time of authentication proves the person logging in has possession of the token at that time. Presumably, the holder of the token would have declared it stolen otherwise.

However, purchasing tokens and keeping track of them creates expense and operational overhead. Plus, the token could be lost or stolen with the loss going unreported for a period of time. And, waiting for a replacement token after loss or theft could be very inconvenient.

For consumer-oriented scenarios, giving out and managing millions of tokens is not economically or logistically feasible. In recent years however, the mobile phone has emerged as a token, so additional, special-purpose hardware is no longer needed.

Smartphones Emerge as a Factor

People tend to keep their smartphones close. According to a 2015 study conducted by Bank of America, as many as 71% of people sleep with their smartphones. And, if a person's smartphone gets lost or stolen, they are very likely to call their carrier and have their service discontinued on the old phone and turned on for a new phone.

For many people, a mobile phone or smartphone is a logical “something you have” factor for authentication.

2-Step and 2FA Authentication with Mobile Phones

The simplest authentication techniques which leverage mobile phones involve sending a text message with a one-time code, or placing an outbound call to the phone with an automated message repeating the code. Typically, the code then needs to be entered into a computer screen when trying to login to a web site, for example, or perhaps confirm the transfer of money in an online banking system. Strictly speaking, this is considered 2-Step Authentication, not Two-Factor Authentication. If interested, click here to see differences between the two: 2-Step vs. 2FA Authentication.

Why? Because the service would still work even if you did not have possession of that particular phone. For example, you may have your phone number forwarded to another phone or routed through an SMS messaging service not tied to a mobile device. And because authentication could happen without a particular phone, the phone is not a true 2FA factor in this scenario. However, some companies may decide that texts and phone calls to a mobile device are a “good enough” approximation of a true 2FA factor and are satisfied with 2-Step Authentication. This is a question of risk management.

SMS messages and outbound calls delivering codes are unencrypted and can be intercepted. In 2016, the National Institute of Standards declared that authentications using SMS are deprecated as a two-factor process.

The see an article about NIST's decision, click here for details. To achieve true 2FA with a mobile phone, it is necessary to install special software on the device. This software uses a certificate that positively identifies the device. The software can then generate passcodes similar to a security token, additionally proving the time of authentication. Google Authenticator uses an approach similar this.

2FA with a smartphone is better than 2-Step Authentication. However, if someone gains possession of your smartphone, you can still be highly vulnerable to fraud.

Voice Biometrics Increases Security

Whether you have a regular landline or the latest smartphone, using voice biometrics for the “something you are” component of an MFA strategy is relatively easy, cost-effective, and requires no specialized hardware or training. And, well-designed voice biometric applications deliver effective accuracy and adaptable levels of security.

There are many possible ways to leverage voice biometrics as part of your MFA strategy. Check out our Integration Examples page for some ideas of common integration scenarios that VBG is supporting globally. Also, chech out the Add Voice Biometrics to Mobile Apps article.

For now however, let's examine a couple simple ways for how we might use voice biometrics with a smartphone as an added factor to the 2-Step or 2FA methods outlined above. Consider the following example:

Notes:

User with Smartphone, and ideally the VBG Autenticator™ mobile app, logs into Computer System with multi-factor authentication (MFA). Note that VBG Authenticator™ users go through external, 3rd party phone validation and have a unique token assigned prior to usage, effectively adding another layer of security.
Computer System determines User needs voice authentication as one of the security factors and sends request via RESTful API to VBG Platform.
VBG Platform initiates mobile "push" to User's smartphone, which displays one-time passcode in VBG Authenticator™. Alternatively, in the absence of VBG Authenticator™, VBG Platform could initiate outbound phone call and use IVR Dialogs to achieve similar result.
User repeats one-time passcode, which is then sent back via RESTful API to VBG Platform for content-checking and voice biometric analysis.
VBG Platform communicates pass/fail result to Computer System.
Authenticated User is allowed to proceed.

As you can see, the use of voice biometrics with either regular phone or smartphone helps to address some of the limitations and concerns of 2-Step and 2FA authentication:

2-Step Techniques are improved, as even if the registered (non-smart) phone is forwarded to another phone for an outbound call, the user's voice is still required to complete the authentication process
2FA Techniques are also improved, as the VBG Authenticator™ app uses Google Firebase phone authentication PLUS we require voice biometric authentication. 2FA has just been turned into MFA!

Please contact VBG for further information about how to apply voice biometrics for Multi-Factor Authentication in your environment.