
My voice is my passport - shawndumas
http://sixcolors.com/post/2015/02/my-voice-is-my-passport/?utm_medium=twitter&utm_source=twitterfeed
======
shawndumas
BTW: His main point is, "the best part is that clearly someone at the vast
institution that is my bank—someone in a position of some authority no less—is
a nerd."

His main point is _not_ that it will be fast/secure/good.

~~~
JoblessWonder
Yeah... I was hoping there were going to be some comments about how other
people loved the movie Sneakers.[1] Sigh.

[1]
[https://www.youtube.com/watch?v=G_XRqJV2zdk](https://www.youtube.com/watch?v=G_XRqJV2zdk)

------
rabbyte
Fingerprint, iris, and voice are _identifiers_ not authenticators. Their
perceived security comes from their perceived scarcity and difficulty in
emulating their presence, barriers that are being removed as technology gets
better. In the future the device will know who you are identified as by
detecting these markers but you'll still need to prove you are who you are
presenting yourself to be.

~~~
jakobegger
Fingerprints are still a better authenticator than a 4 digit passcode in
practice. Nothing is infallible, it just needs to be good enough. Biometric
security things can be very good at preventing 99% of the problems with 1% of
the effort.

~~~
LunaSea
Biometrics is horrendous as a single point of identification in security
systems.

Fingerprints and a password, sure, but fingerprints only is the worst idea
possible.

~~~
jakobegger
I disagree. Yes, fingerprints can be faked. But it is _much_ harder to fake a
fingerprint than to discover a passcode of a casual user by just watching them
type it.

I'm absolutely sure that a much smaller percentage of fingerprint protected
phones are accessed by unauthorized persons than passcode or password
protected phones.

~~~
LunaSea
Actually it's not, if you have the physical device you more or less already
cracked the fingerprint scanner.

You could also be compromised by your glass in a bar, a handshake, the door
handle of your car or your house.

Passwords can be changed but you can't change a finger so this sums up why
fingerprints are shit.

~~~
jakobegger
Look at the procedure required to create a fake finger:
[http://istouchidhackedyet.com](http://istouchidhackedyet.com)

Most importantly, it requires a perfect finger print image. Random smears from
your phone screen or a glass won't work.

The process is so complicated that only a very small percentage of the
population is able to do it; anyone can peek over your shoulder when you
unlock your phone (which most people will do dozens or hundreds or hundreds of
times per day).

Last, remember that you only have limited attempts with your fake finger; in
the demonstration video they only show unlocking a freshly trained phone in a
controlled setting, they don't actually unlock a phone "in the wild".

~~~
LunaSea
The process is very easy, I did it multiple times in high school for a
project.

Legally, scanners are only allowed to save a certain amount of key points in
your fingerprint, not the whole fingerprint.

False-positives are thus likely as are fingerprint collisions (like hash
collisions).

And you still can't modify your finger once it has been hacked a SINGLE time.

~~~
jakobegger
Clearly we seem to have a different idea of what constitutes "easy".

I'm not claiming that biometric authentication is a good idea against a
targeted attack.

But I do think that they offer adequate protection against opportunistic
attacks. It prevents random thieves from accessing my data, and it's
convenient enough that people actually use it. It will significantly increase
security on average.

If someone is targeting you specifically, neither a fingerprint nor a (usually
short) passcode is adequate protection.

~~~
LunaSea
But I can change de passcode and even use a longer passphrase if I feel the
need to have a higher security standard.

------
cgy1
Mac OS 9 had a voice login option. In my experience, it did not work very well
because my voice when I first woke up in the morning was very different from
my voice later on during the day, such that my Mac did not recognize my early
morning voice when I tried to log in.

e: and yes, I believe the default phrase for the voice login option was "my
voice is my passport."

~~~
Anechoic
_and yes, I believe the default phrase for the voice login option was "my
voice is my passport."_

It was actually "my voice is my _password_ " not "passport."

------
btilly
There is one problem with this approach.

I have a pretty severe cold today. My voice is unrecognizable. But I can still
remember a password.

~~~
zomgbbq
I've used voice authentication with Nuance's SDK before and having a cold or
gaining weight does not affect the verification process. It is based on
acoustioc signatures in your voice and not necessarily a precise recreation of
the original recording. This isn't a problem with this approach.

------
psp
Sneakers - one of the best computer movies when I was a kid. I used to watch
it over and over again. Good times. Must go find it somewhere. That movie
probably had an impact on actually getting into the business later on.

~~~
jason_slack
I loved this movie and I still watch it a few times a month as I am working on
other things. Sometimes listening to movies provides me more focus than random
music from my playlists.

~~~
fit2rule
I'm the same way - for me, "Bladerunner", "Barbarella" and "Flash Gordon" are
on auto-repeat as my background noise for serious coding sessions. For some
reason these 3 movies just work so well in that sense ..

/off-topic

------
drKarl
I'm not sure biometric identification is such a great idea... with fingerprint
id, it could make the bad guys have an incentive to chop fingers... Also, a
fingerprint can be acquired in other ways and then replicated sintetically.

In the same fashion, voice identification doesn't seem to be so secure, since
it could also be recorded... and if it were commonly used, there would
probably be enough incentive to build on top of current text-to-speech and
speech synthetizers, to emulate a voice, given enough sample data.

~~~
lighthazard
Also, what are the chances that someone can have a similar pitch/tone/voice as
the password holder? I bet someone with enough incentive could find another
like it.

ie. Google Glass fiasco where you could say, 'OK Google, porn,' behind people
who are wearing Google Glass.

~~~
spb
A couple nights ago, I said "OK Google" and activated the prompt on my
_girlfriend 's_ phone, across the room. Voices don't even have to be similar.

~~~
kelnos
Google Now doesn't care who says "OK, Google"; it'll (intentionally, I assume)
allow anyone to say it.

Actual voice identification works in a similar way to how apps like Shazam do:
they build a "fingerprint" of your voice. This is why it still works if you
have a cold, or for some reason the pitch of your voice changes.

------
godber
Of course, just like your fingerprints, your voice is your username and not
your password.

~~~
quonn
Hyperbole. Clearly, it's not a username. Touch ID has improved security for
most users, precisely because it works more like a password than a username.
(We all know it's not as secure as a real password.)

~~~
wvenable
It's just a really long, complex, and hard to copy username. In many cases,
that is much better than a username/password combination. But it's still just
something you are/have and not something you know.

------
drKarl
Also in Uplink
[https://www.youtube.com/watch?v=SoIBS1ffyLc#t=94](https://www.youtube.com/watch?v=SoIBS1ffyLc#t=94)

------
testtest23
This reminds me of a PhoneLosers Podcast where he pulls the exact sneakers
scheme to get into a Bell Canada account.

[http://www.phonelosers.org/2008/05/pla-radio-
episode-17-voic...](http://www.phonelosers.org/2008/05/pla-radio-
episode-17-voice-authentication/)

That was in 2008.

------
crashdev
Hmm. This the same biometric login routine used by USAA for their mobile apps.
Curious to know who actually built it, is it being used under license or is it
delivered as a service. Anyone have info?

~~~
extrapolate
It is the same routine, because he is describing the USAA iPhone mobile app :)

------
StavrosK
Does anyone know of a way to log into Linux with voice authentication? That
could be better than typing my password all the time.

~~~
ryan-c
I don't know of one, but using PAM to add auth methods is actually pretty
easy.

------
ebertx
Verify me.

