August 15 2023
Biometric technologies have become ubiquitous in today’s digital-first world, revolutionizing the way we authenticate and verify identity remotely. There are a variety of biometric modalities that organizations are using to confirm the identity of their users.
One popular option has been voice biometrics, which has gained significant traction in the private banking and wealth management sectors. This technology has been adopted to make customer authentication faster and safer – the working principle behind voice biometrics is that people have their voice with them all the time, and that each voice should “belong” to only one individual.
However, voice biometric technology has been making the headlines recently – gaining a reputation for being among the “easiest of biometrics to clone”. Synthetic “voice cloning” technology in particular has become a preeminent risk, as the tools used to realistically dupe voices grow more accessible by the day. A high-quality synthetic voice sample can easily fool the human ear, with MIT and Google reporting that a minute of voice data is all that’s needed to create convincing, human-quality audio.
Cloning is not the only weakness however, as there are additional concerns with the identity assurance, performance, and accessibility that voice biometrics can provide.
This blog is the first part of a series on voice biometrics. The series will detail the performance, effectiveness, and the development of AI-generated synthetic voice technology, as well as the potential for stronger security using biometric face verification. In this article, we’ll examine whether voice biometrics should still play a role in financial transactions.
Voice biometric technology measures the physical and behavioral markers in an individual’s speech in order to confirm their identity. The technology works by comparing features in a given audio sample (or live audio feed) against a template “voiceprint” obtained from previous recording(s).
With the dramatic rise of digital banking, voice biometrics has become a popular form of authentication for financial institutions. Customer service calls have traditionally played an important role in the banking experience, and voice biometrics allow customer authentication within the same communication channel. However, the method is prone to background noise, can be overheard, and can be spoofed by a recording or deepfake.
Generative AI has accelerated the development of voice cloning technology, which can generate a voice that sounds identical to an authentic voice. While the concept of synthesized voice threatens many spheres of life, in this piece we are focussing specifically on the efficacy of voice biometrics for organizational security (i.e. authenticating or verifying identity remotely).
Each biometric modality uses a different unique trait – such as face, iris, or fingerprint – to identify an individual, and decisions around procuring biometric technology are often use-case driven.
Voice biometrics is not generally used for onboarding new customers, but to authenticate customer service access by returning customers when individuals need help over the phone. Their speech patterns are passively analyzed while they speak. Alternatively, voice biometrics may be deployed within a banking app — the app requests the user to tap a button and say a passphrase in order to gain initial or step-up access to further services.
Face biometric technology, conversely, can be used for both onboarding and ongoing user authentication. One essential differentiator for biometric face verification is that the face can be matched against a government-issued trusted ID document, whereas a voice cannot. Voice biometrics cannot secure the highest risk point in the user journey: onboarding. As such, it provides no defense against the most pervasive and damaging identity fraud types, such as synthetic identity fraud. This limits the use of the technology as it cannot provide the necessary identity assurance.
Even for its intended use-case, the security of voice biometrics has been repeatedly undermined. One paper examining a practical attack on voice authentication systems from the University of Waterloo, Canada, developed a methodology that could bypass security-critical voice authentication in its strictest form with success rates of up to 99%.
This study also discovered that voice authentication systems tend to “mistakenly learn to distinguish between spoofed and bonafide audio based on cues that are easily identifiable” – and thus easily spoofed. And while the threats have rapidly grown and evolved, the technology has stayed much the same.
Given that voice authentication is often employed in high-risk, high-value industries – including private banking and wealth management – the use and security resilience of voice biometrics should be examined. Other mature technologies that can prove adherence to biometric performance benchmarks and demonstrate evaluation by government standards should be favored.
To understand why the effectiveness of voice biometrics is gaining critical attention, let’s take a look at some of the headlines from this year:
Ultimately, this raises questions: does your organization have resilient identity assurance protocols in place? Can your security processes stand up against the evolving threat landscape and the reality of increasingly sophisticated cybercrime technologies?
To help, iProov will be releasing findings, research, comparisons and use case examples of voice biometric technology over the coming months. We’ll examine how it’s been deployed, and offer recommendations based on risk appetite and level of assurance.
For more information on the different biometric face verification technologies on the market, alongside their key differentiators, read our Demystifying Biometric Face Verification ebook here.