This post is also available in: heעברית (Hebrew)

Voice authentication is the practice of logging in to a device or service with your voice alone. Talking to electronics has become a popular—even essential—way to command them. In this era of the internet of things, voice assistants connect people to their mobile devices, homes and vehicles. Through spoken interactions, we place calls, send text messages, check email, get travel directions, control appliances, and even access bank accounts.  

But sound is what researchers call an “open channel” that can be easily spoofed by mediocre impersonators and sophisticated hackers alike. A security-token necklace, ear buds or eyeglasses developed at the University of Michigan could eliminate vulnerabilities, according to phys.org.

“Increasingly, voice is being used as a security feature but it actually has huge holes in it,” said Kang Shin, the Kevin and Nancy O’Connor Professor of Computer Science and professor of electrical engineering and computer science at U-M. “If a system is using only your voice signature, it can be very dangerous. We believe you have to have a second channel to authenticate the owner of the voice.”

The solution that Shin and colleagues developed is called VAuth (pronounced vee-auth), and it’s a wearable device that can take the form of a necklace, ear buds or a small attachment to eyeglasses. VAuth continuously registers speech-induced vibrations on the user’s body and pairs them with the sound of that person’s voice to create a unique and secure signature.

The process of speaking creates vibrations that can be detected on the skin of a person’s face, throat or chest. The system works by leveraging the instantaneous consistency between signals from the accelerometer in the wearable security token and the microphone in the electronic device. You can only use voice authentication with your device when you’re wearing the security token.

The team has built a prototype using an off-the-shelf accelerometer, which measures motion, and a Bluetooth transmitter, which sends the vibration signal to the microphone in the user’s device. They’ve also developed matching algorithms and software for Google Now.

That’s a drastic departure from existing voice biometric mechanisms, which require training from each individual who will use them, said Kassem Fawaz, who worked on the project. “In addition, VAuth overcomes a key problem of voice biometrics,” he said. “A voice biometric, similar to a fingerprint, is not easy to keep protected. From a few recordings of the user’s voice, an attacker can impersonate the user by generating a matching ‘voice print.’

“The users can do little to regain their security as they cannot simply change their voice. On the other hand, when losing VAuth for any reason, the user can simply unpair it to prevent an attacker from using their device.”