As we often mention on Mobile ID World: voice biometrics are at home on the smartphone. The device is a phone, after all, a technology meant to transmit speech, so a voice based authentication solution is natural.
AGNITiO, a member of the FIDO Alliance, is a company that has embraced this fully, offering its Voice iD biometric solutions to enhance all things mobile: from mCommerce to logical access control and BYOD. Peter O’Neill, president of Mobile ID World (MIDW), had a chance to speak with Emilio Martinez, CEO of AGNITiO on the current state of the mobile biometrics landscape, protecting against spoofing and the place for voice recognition in multi-factor authentication.
MIDW: What key trends are you seeing in the biometric industry, but especially in the world of mobility?
AGNITiO: You know Peter, I believe one of the key trends is the merging of two issues in the authentication marketplace. On one side you need simpler and stronger authentication when you are using mobile phones. You need to provide the same user experience that people are used to with different apps while offering strong authentication. You cannot make them use long passwords with symbols and keywords. People want to have a simpler way to authenticate, and it has to be strong. That is one trend that is a problem, but we also have a solution. Mobile devices are getting more and more features and have sensors that are able to capture different biometric characteristics of the user. For example, fingerprints, and there will be more to come. There will be picture ID, voice ID and other biometrics in the device. This will generate a device-centric authentication trend, where people will be able to access their personal accounts, like shopping or banking, in a simple way and with very strong authentication. Simple security is a very important trend for biometrics in mobility.
MIDW: Where does AGNITiO fit into all of this? Can you describe some recent developments within your company?
AGNITiO: AGNITiO is the Voice iD company. Of all those sensors, of all those capabilities that are going to be available in mobile devices, voice is a common characteristic. We generate secure Voice iD. And why can AGNITiO do that? We have extensive experience providing the most secure Voice iD technology to governments all over the world. It is being used in law enforcement in many countries and is used as evidence in court. So we believe we are in a very good position to provide the best secure Voice iD technology to satisfy this trend. I am a firm believer in multi-factor authentication. At the end of the day, it will be for security reasons that people will need two and three factor authentication to increase security, but also for convenience as people would like to have a choice of which biometric they would like to use in a particular situation and circumstance. Choice is important. So I believe that biometric multi-factor authentication will be the key, and we will provide Voice iD.
MIDW: What differentiates your technology from others in the marketplace and even other speech technology companies? What makes your technology special?
AGNITiO: First of all, AGNITiO Voice iD is a real biometric technology. It is not a behavioral technology. We don’t identify people based on how they speak, we don’t use phonetics, we don’t use language. We use real biometric technology which is linked to the fixed part of your vocal tract and it doesn’t matter which language you use. It doesn’t matter what you say, we are able to know who you are, because we are able to produce a voiceprint that is unique to you. This is one key aspect that differentiates us from many companies in the speech technology world, as they try to identify people based on how they speak. We are completely language independent. The other key differentiator is security. We come from that world, security is a key part of our technology. And security has at least three different aspects – accuracy, spoofing and hacking.
Accuracy. We have very accurate technology. It is being used in the most challenging environments: in court trials, military and law enforcement. So it is highly accurate, but I don’t want to elaborate on accuracy, because that is probably the only thing people talk about.
Spoofing. Even if you have a very accurate technology, if somebody is able to make a recording of your voice and the system is not able to distinguish a recording from the real person, then it doesn’t matter how accurate the system is. In my opinion the voice biometric industry today is extremely weak in protecting against spoofing. I am a very strong proponent of serious third party testing on spoofing for voice technology. As fingerprint industry has been doing for many years, we need testers that will try to spoof various systems to teach us how we can protect against spoofing attacks. There is nothing that is one hundred percent secure, but I believe that AGNITiO has one of the most protected technologies in terms of spoofing. We don’t try to do random numbers as that is easy to spoof. We don’t use random text that people have to read, because that too is easy to spoof. We have a technology that is actually able to distinguish between a recording and a real live person, so it is very secure in terms of spoofing.
Hacking. As we go into mobility, we are going to put our technology into mobile phones. Biometric templates will be stored there. The majority of matching calculations will be done in the mobile phone itself. If there is a way someone can hack into the device and extract and replace the template, or subvert the matching process changing a “yes” for a “no”; or interrupt the communication between the biometric engine and the application in the device, then it doesn’t matter how accurate or spoof-protected the system is. The hacker will be able to do whatever they want in your mobile phone. We are in the FIDO Alliance which provides a very good protection framework using an encrypted communication protocol. As you know, we have a FIDO Ready prototype that we have demonstrated at CES in Las Vegas earlier this year. There are multiple ways in which we are planning to protect the template and the matching process in the device. So I believe, essentially, the difference is that AGNITiO provides the most secure Voice iD for simple and strong authentication.
MIDW: When you talk about spoofing , there has been a lot of news written about the Apple launch and the Galaxy S5. Won’t multi-factor authentication go a long way to help the spoofing scenario out there these days?
AGNITiO: Definitely yes. Multi-factor is the way to go but first of all it is necessary to make a few comments. These two attacks you mentioned, it is actually same type of attack on both the Apple and Samsung Galaxy. It is a typical spoofing attack. It is not hacking – they were not able to get access to the template, which was very well protected and encrypted in both cases. They were not able to tamper with the matching process. What they have done is simulate a fingerprint in a laboratory controlled environment. That is one of the ways the fingerprint industry knows that it can be done, but it is extremely difficult and has to be done one by one! It is important to stress that those examples are not hacking. With voice they would have to take a recording of your voice in a very sophisticated environment in a laboratory in order to simulate the real live voice of a person. And, as I described earlier, we are very well protected against that type of attack.
There is another interesting topic here. In the FIDO Alliance paradigm, user credentials are stored on and never leave the individual devices, and it is only the public keys that are stored in the databases of the reliant parties, such as PayPal, Amazon, or a bank. In this scenario, a hacker would have to target user devices one by one. A hacker would actually need to do three things at the same time. First, he would have to obtain a laboratory quality copy of the user’s voice or fingerprint. Second, he would have to steal the device, because as you know, the authentication is linked to a protected and encrypted template within the device. Third, he would have to do the whole thing before the user realizes the device has been stolen, because the user can always revoke the mobile phone. The user can report that the mobile phone has been stolen, and the FIDO public-private key pairing between the mobile phone and the vendor’s server, can be easily revoked.
So those three things are extremely difficult to do. In addition, such attack is not scalable. It has to be done one mobile phone at a time. That is much more difficult for the hacking community than being able to get into a central database of passwords for a million customers to steal and distribute or sell them on the internet. The FIDO paradigm is protecting users against those types of scalable attacks and is creating a scenario where the attackers have to go one by one and spend a lot of money and to be able to do this before it is revoked by the mobile phone user. I don’t think it is a situation that we need to be alarmed about but we need to understand it and protect against spoofing. With the FIDO paradigm, we will be protected much better than with a four digit PIN.
MIDW: I agree with you Emilio, it makes for good sensational news, but it is not really something that will be feasible for anyone to actually consider. It gets picked up by media outlets that are not all that familiar with the industry or the reality of the situation.
AGNITiO: I agree with you, but that type of news sells and it sells a lot.
MIDW: There is so much going on in our industry today. If you were to look twelve months down the road, what do you think will be happening?
AGNITiO: I think there will be more and more biometrics in mobile phones, tablets and devices. Independently of what people are reading in the news regarding fingerprint spoofing, consumers are starting to get used to biometrics, with offerings from Apple first and now Samsung. There will be more biometric factors that will be coming to devices, and Voice iD will be one of them. Think about one thing, Galaxy S5 is the first device on the market with the FIDO client, and any FIDO certified or FIDO Ready authenticator will be able to connect to it. We have a prototype of course, and we have been showing it in different situations to different vendors and customers. We will soon have a product. I am sure other biometric vendors in other areas will also start providing authenticators that will be tested and used by customers in these devices. I think the only thing we can expect in the next year or so is more biometrics in devices. I think most of those will be affiliated with the FIDO Alliance, but some may go in different directions. Multi-factor will be there definitely for the convenience and the security. This trend will be unstoppable once people get used to using their voice or fingerprint or anything else to unlock or make transactions with a mobile phone. It will be very difficult to go backwards to a password with 12 letters and symbols that has to be changed every month. That is what we are going to see in the next twelve months in my opinion.
MIDW: I couldn’t agree more Emilio, there is such frustration with the whole password situation out there. End users are totally lost and when you think about convenience of voice, fingerprint, facial, iris …they are so easy to use that I think you are correct with your prediction over the next twelve months. It is going to be an exciting time.
AGNITiO: There is something I would like to bring up that we have to be ready for in the voice biometrics industry. One of the worst things that can happen in the industry is if a weak technology comes out from a vendor that is easy to be spoofed or tampered or hacked, because the vendor has not gone through proper evaluations and testing and architectural redesign of the voice biometric engine. It could create a feeling in the user community that voice is a weak technology. I’m very concerned about that. I talked about it at the Voice Biometrics Conference last year in San Francisco, and I will continue to talk about that this year.
The voice biometrics industry has to take spoofing and hacking attacks seriously. We have been very thorough in terms of testing for accuracy, but we really have to work on spoofing and security. We cannot afford the feeling in the consumers’ mind that you can just take a recording of someone’s voice and easily spoof the technology. Or that someone can hack a mobile phone and replace the biometric template. The technology we have today is able to protect against all of those things. Sometimes I am really afraid when I hear people saying, “You know, this is protected because we have proof of life,” and I know it won’t pass a very simple spoofing test by a university student, not even a big laboratory. I believe that we have to protect against this scenario. The fingerprint industry has gone through many years of protecting themselves against normal simple spoofing techniques. That is why you need to go through laboratory testing to do this, and it is very complicated. They have been protecting themselves against the simple spoofing. In voice biometrics we at AGNITiO are protected, but I am concerned that if we as an industry don’t start moving towards some sort of third-party testing, this can be a problem. That is my feeling.
MIDW: Does NIST do any kind of voice testing?
AGNITiO: I don’t know of any testing for spoofing by a third party. There is a lot of testing for accuracy. You know, false acceptance, false rejection rates. There are many tests done by NIST, but if you think about spoofing – how you can spoof with a recording and gain access into a system – there are only two of our customers that have done that, the others didn’t even try. We have tried with many of the technologies out there and we have been able to spoof them easily. So we believe we need to have some kind of third party spoofing test that can be trusted – voluntary of course, and if you want the results can be private so that nobody can learn how to spoof the technology. We need to do something as an industry so we can be protected against this.
MIDW: I want to thank you very much Emilio. It is always such a pleasure to speak with one of the leaders in the voice area and I always appreciate your comments.
AGNITiO: Thank you very much Peter.