As computing power increases and bad guys are looking for ways to steal things like usernames and passwords, it’s natural that the technology industry has been looking for new ways to make it more difficult for unwanted parties to gain access to information and resources (such as personal finances).
Today, Citibank made an announcement that it will roll out voice biometrics over the next few months to a select group of customers for its telephone-based services. For the non-technical, this means that Citibank will capture a voiceprint for each customer that can uniquely and reliably identify one person from another (even identical twins in most cases).
So why is biometrics a great solution in multi-factor authentication?
Authentication that relies on “something you have” (like a username or password) can be considered weak as people can either guess or steal it without providing some sort of proof that they are genuinely you. Whilst stronger passwords may go some way to prevent casual or brute force guesses, authentication methods that rely solely on usernames and passwords are susceptible to these sorts of attacks.
Multi-factor authentication introduces an additional means by which to prove your identity such as “something you own” and you may already be using something along these lines. For instance, many corporate VPNs provide a security token to its staff to use in conjunction with a username and a password. Unless an attacker has physical access to the token the chances of being able to break in are greatly diminished but not completely eliminated (as the chance for guessing the hash on the token correctly as well as the username and password still exists – albeit slim).
This is where authentication against “something you are” or biometrics comes in.
Things like a voiceprint and fingerprints go some way to prevent impersonation as an attacker can’t “guess them”. Either a person has exactly what is being sought for successful authentication or they don’t possess the correct input. For all but the most determined hackers and criminals, this significantly increases your security.
However, whilst guessing is out of the picture, emulation is another issue altogether. For example, a voiceprint could be provided by means of a high quality audio recording of the targeted individual covertly captured at a prior time. In terms of fingerprints, play dough and cadaver fingers have been proven to work with a success rate of up to 90% on basic readers that don’t pay attention to other qualities of the provided input (such as moisture patterns, temperature, etc).
By no means is biometric security a silver bullet but when used in conjunction with other means of authentication, such as a username or password or more modern methods such as security tokens, it does up the ante against traditional attacks that aren’t expecting anything more than the basics.