By Dan Moren
June 30, 2016 1:46 PM PT
Wish List: Voiceprint passwords
Back when I was in college, I set up my Power Mac G3 so I could log into it with my voice. Being the Sneakers fan that I am to this day, I of course made my passphrase “My voice is my passport, verify me.”
My friends mocked me mercilessly.
But more than fifteen years later, I’m thinking that classic Mac OS feature was way ahead of its time. These days, voice control is everywhere, from Siri and Alexa to the crappy system in my car that I can’t get rid of.
So now that we’re actually using these voice-related features, what about security?
Having all these voice-enabled assistants and interfaces is great, but where it’s not so great is in terms of security and privacy. It’s not too hard to imagine a future where I’ll be able to ask one of these intelligent assistants for, say, the balance of my checking account. Or to re-order my prescriptions. Or to buy me stuff off Amaz—waaaaaaait a second. What happens when someone else issues the same commands? How is a poor intelligent agent to know who to listen to?
Currently, some of these platforms have some meager protection in place. The Amazon Echo, for example, lets you set a four-digit pin that you have to speak in order to confirm purchases. But even in a low-security setting—say your kids want to order a new toy off Amazon—that’s pretty easily broken.
Siri, meanwhile, does have some very basic voiceprint analysis enabled. Starting in iOS 9, you train the Hey Siri feature, and it then responds only to your voice1—though that’s less a security feature than for purposes of convenience, since it means not having your entirely family’s Siris all respond to the same query. It’s easily enough circumvented by simply triggering Siri manually. (Though fortunately, for most things more involved than that, you usually have to unlock your phone.)
Analyzing every single command spoken and comparing it to a voiceprint is probably a bit too demanding for the current state of technology, but perhaps setting a voice password that matches your voiceprint—à la Mac OS 9—might be plausible, for some tasks that need to be authenticated. (For what it’s worth, my bank has already enabled something similar.)
Even at that point, there are still problems: if the password is static, all someone has to do is record you saying your password and play it back…exactly as the crew in Sneakers beats it. And that’s even easier because a) these days everybody has a digital recorder/playback device on their persons and b) if you have to go around saying your password aloud, it’s not like it’s hard to find out.
One solution might be to use the two-factor-type solution: get a code texted to you, then read that code aloud—voiceprint analysis could in theory even be applied to that, if you had, say, read those numbers aloud at some point. From a security standpoint, that seems like it might be better, but then you need to have your phone nearby (or, I suppose, a wearable like the Apple Watch). But more to the point, that just takes all the fun out of things, doesn’t it?
As ever, it’s a push-pull between security and convenience. Biometrics are great in terms of convenience, but given the preponderance of technology at our disposal, they can be pretty easy to spoof. Even so, our voice-based interfaces are only going to be getting more popular, and security is going to increasingly be a concern.
I will say: my girlfriend, who is clearly a super spy, has figured out how to impersonate me well enough to trigger Hey Siri on my phone. I have not been able to do the same for hers. ↩
[If you appreciate articles like this one, help us continue doing Six Colors (and get some fun benefits) by becoming a Six Colors subscriber.]