Voice Biometrics for financial authentication

This will be abused and instead of password dumps we will see attackers trading voice sample dumps and building huge databases of identified voice samples from public documents and places like YouTube.

There are also other issues here that make this a bad choice. There's no plausible deniability if someone didn't want to be coerced into authenticating an attacker. With a PIN you might be able to say you forgot your code, you can't say you forgot your voice.

There's also the inability to protect what is being said from prying ears and recording devices. ATM makers learned this the hard way with ATM's and now we have shielding to help hide what numbers are being pressed. Similar attacks to ones that already exist will occur.

Finally is it too far-fetched for an attacker to have a large enough sample of someones voice to have some software capable of saying whatever you want them to say in their own voice ?

I think the technology could still take off simply because of a cool factor or because a big enough company forces it, but I'm not convinced this is the best security control for the task at hand and I share your concern.

This keeps popping up every year as the next big thing.

2016:Citi

2015:ING

2013:Barclays

This 2014 paper Automatic speech recognition for under-resourced languages: A survey. Speech Communication by Besacier, L., Barnard, E., Karpov, A., & Schultz, T. (not open access) discusses the state-of-the-art of speaker recognition technologies. The survey concludes that evaluation metrics are still not robust enough, while acknowledging the vulnerabilities and the likelihood of an arms race. Nothing in this paper indicates readiness for large-scale adoption.

This community already has plenty of posts warning about the promises and risks of biometrics (see here) especially because of non-revocability.

People's voice is public, which means is easy to record/process/reproduce, so how can that system be more secure than answering the usual security secret questions?

Despite all of those warnings, I must admit that the survey shows speaker recognition systems with built-in contermeasures that have extremely low FAR/FRR (False Accept / Reject Rates) even when faced with noise, impersonation, recorded playback etc..

On the other hand, answers to security questions are hardly secret, easily social engineered, and rarely provide adequate security (remember this?)

So it does seem plausible that voice will replace "security questions", at least as a backup authentication system for interacting with support. The bottleneck has largely been privacy concerns for a while now. If it does take off, it is because the current auth system for support interactions has a human-in-the-loop and easier to fool; whereas this is cheaper and systematic.

I have my own concerns about whether this widespread adoption of biometrics can truly scale, but it does seem inevitable.

"Username" vs password

Biometrics is uniquely tied to you, but possible to copy/fake, likely to be given out inadvertently (when you don't intend to authenticate anything) and nearly impossible to change. This means that biometrics, including voice, is a great replacement for factors such as usernames or customer IDs, but still would require additional confirmation factor such as 'something you know' or 'something you have'.

In comparison with the rather common practice of needing two things to login - your email address as user-id and a password that's usually short, simple and likely crackable; replacing it with email+voice would change the risks but IMHO make them slightly worse, but replacing it with voice+password (even if the password is just as bad as before) would be a big improvement.

For financial authentication, a good rule of thumb is to ask "Would the customer's parents, children or spouse be able to satisfy these criteria?" - if yes, then these criteria are not sufficient for financial authentication. Voice biometrics alone obviously fail this test, since they are trivial for any family member to record.