Biometric technologies have become ubiquitous in today’s digital-first world, revolutionizing the way we authenticate and verify identity remotely. There are a variety of biometric modalities that organizations are using to confirm the identity of their users.
One popular option has been voice biometrics, which has gained significant traction in the private banking and wealth management sectors. This technology has been adopted to make customer authentication faster and safer – the working principle behind voice biometrics is that people have their voice with them all the time, and that each voice should “belong” to only one individual.
However, voice biometric technology has been making the headlines recently – gaining a reputation for being among the “easiest of biometrics to clone”. Synthetic “voice cloning” technology in particular has become a preeminent risk, as the tools used to realistically dupe voices grow more accessible by the day. A high-quality synthetic voice sample can easily fool the human ear, with MIT and Google reporting that a minute of voice data is all that’s needed to create convincing, human-quality audio.
Cloning is not the only weakness however, as there are additional concerns with the identity assurance, performance, and accessibility that voice biometrics can provide.
This blog is the first part of a series on voice biometrics. The series will detail the performance, effectiveness, and the development of AI-generated synthetic voice technology, as well as the potential for stronger security using biometric face verification. In this article, we’ll examine whether voice biometrics should still play a role in financial transactions.
What is Voice Biometrics?
Voice biometric technology measures the physical and behavioral markers in an individual’s speech in order to confirm their identity. The technology works by comparing features in a given audio sample (or live audio feed) against a template “voiceprint” obtained from previous recording(s).
With the dramatic rise of digital banking, voice biometrics has become a popular form of authentication for financial institutions. Customer service calls have traditionally played an important role in the banking experience, and voice biometrics allow customer authentication within the same communication channel. However, the method is prone to background noise, can be overheard, and can be spoofed by a recording or deepfake.
Generative AI has accelerated the development of voice cloning technology, which can generate a voice that sounds identical to an authentic voice. While the concept of synthesized voice threatens many spheres of life, in this piece we are focussing specifically on the efficacy of voice biometrics for organizational security (i.e. authenticating or verifying identity remotely).
What is the Difference Between Voice Biometrics and Other Modalities, Such As Face Biometrics?
Each biometric modality uses a different unique trait – such as face, iris, or fingerprint – to identify an individual, and decisions around procuring biometric technology are often use-case driven.
Voice biometrics is not generally used for onboarding new customers, but to authenticate customer service access by returning customers when individuals need help over the phone. Their speech patterns are passively analyzed while they speak. Alternatively, voice biometrics may be deployed within a banking app — the app requests the user to tap a button and say a passphrase in order to gain initial or step-up access to further services.
Face biometric technology, conversely, can be used for both onboarding and ongoing user authentication. One essential differentiator for biometric face verification is that the face can be matched against a government-issued trusted ID document, whereas a voice cannot. Voice biometrics cannot secure the highest risk point in the user journey: onboarding. As such, it provides no defense against the most pervasive and damaging identity fraud types, such as synthetic identity fraud. This limits the use of the technology as it cannot provide the necessary identity assurance.
Even for its intended use-case, the security of voice biometrics has been repeatedly undermined. One paper examining a practical attack on voice authentication systems from the University of Waterloo, Canada, developed a methodology that could bypass security-critical voice authentication in its strictest form with success rates of up to 99%.
This study also discovered that voice authentication systems tend to “mistakenly learn to distinguish between spoofed and bonafide audio based on cues that are easily identifiable” – and thus easily spoofed. And while the threats have rapidly grown and evolved, the technology has stayed much the same.
Given that voice authentication is often employed in high-risk, high-value industries – including private banking and wealth management – the use and security resilience of voice biometrics should be examined. Other mature technologies that can prove adherence to biometric performance benchmarks and demonstrate evaluation by government standards should be favored.
Voice Biometric Case Studies & Contexts
To understand why the effectiveness of voice biometrics is gaining critical attention, let’s take a look at some of the headlines from this year:
- AI fools voice recognition used to verify identity by Centrelink and Australian tax office: demonstrating how voice biometric technology has failed to keep individuals secure in large, national-scale projects.
- Microsoft’s new VALL-E AI can clone your voice from a three-second audio clip: highlighting how the barrier to creating AI-generated voice clones is evaporating, making it effortless for fraudsters to undermine voice biometric security.
- Reporter, Joseph Cox, was able to bypass UK-based Lloyds Bank’s Voice ID programs to access his own bank account: Cox used an AI-powered replica of his own voice to perpetrate the fraud. He could see his own balance, a list of recent transactions, and transfers.
- US Senators write to the Consumer Financial Protection Bureau urging action regarding “the governance of artificial intelligence“: particularly concerning voice cloning and its “alarming application in perpetrating financial scams”. This is not the first time – in May, Senators sent a letter to six of largest banks that offer voice authentication outlining concerns that “AI generated voice clips allow fraudulent actors to break into customers’ accounts”. The fragilities of voice biometrics have caught the attention of government employees and regulators.
Ultimately, this raises questions: does your organization have resilient identity assurance protocols in place? Can your security processes stand up against the evolving threat landscape and the reality of increasingly sophisticated cybercrime technologies?
To help, iProov will be releasing findings, research, comparisons and use case examples of voice biometric technology over the coming months. We’ll examine how it’s been deployed, and offer recommendations based on risk appetite and level of assurance.
For more information on the different biometric face verification technologies on the market, alongside their key differentiators, read our Demystifying Biometric Face Verification ebook here.
If you’re interested in learning more about iProov’s biometric face verification technology – or how to transition from voice to face biometrics – you can contact us or book a demo directly here.
