
“My voice is my password.” Passphrases that use biometric voice recognition to verify it’s really you are becoming increasingly popular. But their increasing use carries a risk: someone with a recording of your voice could easily splice the right spoken words together and spoof their way into your digital life. Now a new technology detects such shenanigans – using sonar.
Even as biometrics are replacing passwords, voice recognition is becoming more vulnerable to spoofing. Fuelling this risk, says security engineer Jie Yang at the Florida State University in Tallahassee, is the way people now post so much audio and video on social media. “This makes it relatively easy to obtain voice samples from a target,” he says.
So Yang and his colleagues devised a technology that detects and defeats such misuse of recordings. VoiceGesture is able to not only recognise that a passphrase carries the authentic voiceprint of its legitimate user, but also that it is being spoken by an actual person – rather than being played back from another phone’s voice recording app, say.
Advertisement
To do this, the team have turned a phone into a sonar – a sound-based radar. At the moment a user sets their passphrase, the VoiceGesture app emits a barely audible, high pitched 20 kilohertz acoustic signal from the phone’s loudspeaker. This signal bounces off the user’s moving jaw, lips and tongue as they speak – and the signal received by the phone’s microphone in return then contains components that have been uniquely set by the movement of those anatomically-distinct facial features.
Real authentication
Features that create the biggest doppler changes are lip protrusion, lip closure, tongue tip/body constriction – and jaw angle. The resulting mouthpart doppler signature is used to authenticate you and your passphrase simultaneously. Unveiling the technology at the in Dallas, Texas, in early November, Yang’s team said the system is 99 per cent accurate at detecting and blocking voice spoof attacks.
Google is currently reviewing the technology for its Android ecosystem, which already allows a “trusted voice” to unlock phones. “We hope to hear in early February,” Yang says. They also plan to expand the antispoofing technology’s applications to voice assistants, like the Amazon Echo and Google Home.
There’s a pressing need for this, says Nicholas Evans, a biometrics specialist at EURECOM, France. “While the adoption of speaker authentication technology is accelerating, it’s fair to say that concerns surrounding vulnerabilities to spoofing continue to dent confidence.”
Over the past two years, a rising number of attacks on biometrics has motivated a growing community of researchers to develop countermeasures. “The current techniques will never be able to detect every attack all the time,” says Evans. “Novel alternatives such as VoiceGesture are an essential addition to the anti-spoofing landscape.”