Is Voice Authentication Secure? Nope!
University of Waterloo computer scientists identified a method of attack that successfully bypasses voice authentication security systems with up to a 99% success rate in just six attempts. Here’s why you should keep your passwords…
Voice authentication – which identifies users via a supposedly unique “voiceprint”- is used in remote banking, call centers, and other security-critical scenarios.
When setting up voice authentication, the user repeats a certain phrase in their own voice. The system extracts a unique voiceprint and stores it on a server.
When you attempt to log in and authenticate, you say a different phrase, and the features extracted are compared to the voiceprint you have saved in the system, enabling access.
Once introduced, the malicious actors emerged from the proverbial woodwork to attack it. They found they could use machine learning-enabled “deepfake” software to generate convincing copies of a victim’s voice using as little as five minutes of recorded audio. Developers then introduced “spoofing countermeasures” to examine a speech sample and determine whether a human or a machine created it.
However, Waterloo researchers developed a method to evade spoofing countermeasures and fool most voice authentication systems within six attempts. They found the markers in deepfake audio that betray it is computer-generated and wrote a program removing the markers, making it indistinguishable from authentic audio.
Tested against Amazon Connect’s voice authentication system, they achieved a 10% success rate in one four-second attack, and the rate rises to over 40% in less than thirty seconds. The less sophisticated voice authentication systems saw a 99% success rate after six attempts.
The research, Breaking Security-Critical Voice Authentication, was published in the 44th IEEE Symposium on Security and Privacy proceedings.