Say goodbye to the password as you know It

Passwords and PINs are more vulnerable than ever before. Proving this point have been a number of recent high profile security breaches, including Twitter, Evernote and most infamously LinkedIn, where 6.5 million user accounts were stolen and placed in the hands of criminals. If these breaches highlight anything, it’s that cyber-attacks are not only increasing in frequency, but also sophistication. And even more importantly, they’ve indicated that while the traditional password and PIN has served organisations well in the past, they are quickly becoming antiquated in today’s world of connected smart devices and even smarter hackers.     

This trend has been reflected in the Deloitte 2013 TMT Predictions report, which marks 2013 as the end of password-only security. The move away from password-only or knowledge-based authentication has brought a greater focus on alternative security measures, with particular attention on voice biometrics. Unlike passwords and PINs, voice biometrics cannot be compromised through hacking. Additionally, it only requires a user’s voice, meaning customers no longer need to remember several password combinations – they simply need to speak a phrase such as ‘my voice is my password’ to gain access to their account easily and securely.

These benefits alongside the decline of passwords have placed greater pressure on organisations to re-evaluate their security. While there are a number of security solutions to consider, the following will argue why voice biometrics will be one of the key methods of authentication in the future, leaving passwords, PINs and security questions in the dust.

The smartphone revolution

The trend away from password or knowledge-based authentication has partly been brought on by the age of the smartphone. As more individuals migrate to mobile experiences, it becomes increasingly apparent that a user name and password system is poorly suited for mobile devices. In fact, recent research conducted by Roy Morgan on behalf of Nuance indicates that the average Australian has up to 20 passwords, and more than 60 percent make mistakes while typing in their password using a mobile phone. Voice biometrics on the other hand, eliminates the need for awkward passwords as the system is able to identify a user based solely on their voice.

But it’s not only the inconvenience of the password on the smartphone that is calling for change. Customers are increasingly using their phones for high-risk transactions, such as banking or shopping. A recent report by eBay and PayPal found that the value of retail purchases on mobile has increased more than 30-fold in the last two years. With so many Australians completing transactions and carrying increased amounts of sensitive information on their smart devices, the need for a more secure authentication process that is better suited to the smartphone has become paramount.

Organisations are finding that voice biometrics helps address these challenges because it is inherently more secure. A person’s voiceprint is unique, much like a person’s fingerprint. Someone can’t guess your voice, whereas fraudsters can guess a password or PIN. Highlighting this point is a recent report

Organisations are finding that voice biometrics helps address these challenges because it is inherently more secure. A person’s voiceprint is unique, much like a person’s fingerprint. Someone can’t guess your voice, whereas fraudsters can guess a password or PIN. Highlighting this point is a recent report on the top 10,000 passwords, which indicates that close to 8.5 per cent of customers use the passwords ‘password’ or ‘123456’. While a separate study showed that 10.7 per cent of four digit PINs are “1234”. With voice biometrics, customers can avoid using passwords all together, ensuring a simpler and more secure authentication process.

The rise of fraud within the call centre

Another trend drawing attention to the limitations of password and knowledge based authentication is the rise of fraud in the call centre. Typically, call centres use either PIN credentials or knowledge questions to verify a caller’s identity. In the case of knowledge questions, an agent will ask for information such as the caller’s address, phone number, birth date or mother’s maiden name. If the caller answers correctly, the agent will consider the caller’s identity valid.

However, the vulnerabilities of such systems include database hacking, internet searches for personal information and social engineering. The last of which, social engineering, is where a fraudster uses tricks and psychological manipulation in order to gain sensitive information from a customer service agent. Call centres are particularly vulnerable to this type of attack because, instead of being rewarded for preventing fraud, call centre agents are encouraged to minimise Average Hold Time and deliver a quick and easy customer experience.

As of 2011, about 67 per cent of social engineering attempts at Australian bank call centres were successful. This is because call centre agents often lack the training and incentives to detect social engineering attempts. Additionally, organisations that have required agents to comply with stringent security procedures often see disastrous impacts on customer care. As such, organisations tend to implement security procedures that impose the minimum amount of inconvenience to the caller. However, this creates an important security vulnerability that fraudsters can leverage with increasing frequency.

A benefit of voice biometrics is that voiceprints can be verified quickly during a call to confirm identity and let the caller complete their enquiry or transaction. However, the same technology will also flag if the voice and voiceprint do not match, keeping fraudsters out and ensuring security for customers.  

An improved customer experience

The final key factor influencing this trend is the use of voice biometrics not just for security, but also to provide improved and more personalised experiences for the customer. With voice biometrics, customers no longer need to answer intrusive security questions or remember passwords in order to verify their identity. By simply speaking with an agent, a customer’s voice is verified, making the authentication process quick, secure and transparent. This starts the conversation with the customer off on the right foot, with a conversation, as opposed to an interrogation.

Additionally, with the ability to easily and efficiently verify a customer, businesses can create personal experiences through the call centre, mobile apps and even the customer’s own personal devices. Picture a Siri-style customer service app that is able to recognise you by your voice and instantly. 

Michael Steinmann is the director of regional technology at Nuance.

More from Business Spectator


Please login or register to post comments

Comments Policy »

Passwords and PINs per se are no more vulnerable now than they've ever been in the past. Their vulnerabilities rest solely with just how they're used/abused, and whatever improved system is given consumers to protect them from fraudsters, you can rest asssured that the fickle former will go all out without any extra effort on their part in avidly attempting to compromise all additional security measures in any way they can. It stands to reason. Easy come, easy go_t at.

As far as thinking that you'll be able to place any trust in: "My voice is my password", it'll soon result being seen of no greater value to anyone at all than that trite and hackneyed statement said by many a person to others when the former[s] attempts duping the latter[s] into totally accepting as gospel when they say: "My word is my b_"on d'it". Yeah right!

Given that voice biometrics but requires the capability to be able to recognizean a "user's" voice, all said "user" needs do is bypass the system with the assistance of someone on the "inside" and then their voice will open many doors for them for quite a wile[sic] globally, and as long as they don't over_Do'ppelganger it...they WILL be plain sailing "in" with a ghost of a chance, let me sheet it home to you!

Hi Allan – thanks for the comment and interesting take on the article.
In response to your comment “Passwords and PINs per se are no more vulnerable now than they've ever been in the past”, if you take in isolation a single PIN number, you'd be correct. But unfortunately, as a whole, PINs are now considered poor security devices due to the rapid advances of technology, especially influenced by the internet and mobile phones.
If I had a single PIN/password, kept it a secret, made it hard to remember (e.g. Not "Password") then yes, it would be as secure as they were 20 years ago. But today, most people have to (on average) handle over 60 passwords and numerous PINs. And being human, they do several things that reduce the security of these mechanisms. This includes things like choosing passwords that are easy to remember; using the same password across multiple accounts; and, not regularly changing their passwords. In addition, if personal password lists are stolen or hacked from websites, a lot of the person’s personal accounts will be vulnerable – i.e. like when LivingSocial was hacked and more than 50 million Names, Passwords, Birthdays, Email details were stolen.
A better system is one that utilises the Informational Security system of 3 Factor Authentication.
1) Something you know (Password)
2) Something you have (Credit Card)
3) Something you are (Voice Biometrics)
Instead of relying on just a single PIN or password, each system should choose two to three factors given the risk profile of the transaction. Voice Biometrics is one of the easiest biometric systems to introduce, as no specialised equipment needs to be deployed to collect that from a customer.
We shouldn't rely on just a single factor of authentication. Authentication in this day and age should utilise multiple factors including biometrics. Consumers expect services that not only provide effortless use and are easy to consume, but services that are also secure and can protect their privacy. The actions lie with our banks and other institutions to now ensure that these services are made available to us, and at Nuance, we’re one part of this process.