Cybercrime: Is it Worth Eradicating the Humble Password?
Cybercrime: Is it Worth Eradicating the Humble Password?Reuters

The impact of cybercrime has rocked companies' systems over the last two decades and has cost firms billions of dollars in losses after being hacked.

So, IBTimes UK caught up with tech group Nuance's director product management, Seb Reeve, at Nuance Communications who believes that now is the time to rethink the strategy towards cyber security and banish traditional passwords, in order to protect individuals and organisations in a better way.

Q: With the increase in cybercrime, shall we get rid of passwords?

A: Cybercrime costs as around £350bn (€436bn, $582bn) a year and remains a growth industry with attacks on banks, retailers and energy companies that will worsen, according to a report published in June by the Washington-based Center for Strategic and International Studies.

Passwords, as this story and the myriad of previous breaches demonstrates, are a weak authentication process and it is our view that enterprises should replace them with more secure alternatives.

These alternatives need to reduce the effort for the consumer to validate their identity – some of the key weaknesses in passwords are caused by consumers trying to ease the burden of password management (e.g. choosing the same password for all of their sites).

As such, any alternative that does not address the consumer experience issue will be subject to the same problems as we are experiencing with passwords. A great example of this are one-time-password (OTP) tokens. In theory these are more secure, but because they are inconvenient to the end-user, their security value is minimised.

It is important to state that the responsibility of addressing this issue lies with the enterprise, and not with the consumer. Customers cannot be expected to follow high-effort security practices such as changing all of their passwords each time there is a breach and choosing different passwords for each site they use.

Q: But with voice recognition, what room for error is there? Surely if you have a cold or something like that, it would affect the outcome?

A: As with any authentication technology, voice biometrics is not infallible.

However, the key security benefit of voice biometrics is that it is immune to large scale security breaches as we see continuously with passwords. Real-world deployments have shown that authentication success rates tend to be in the high nineties (e.g. 95% to 99%) despite all of the environmental and personal conditions that exist in everyday life such as noise and illness. These success rates are far higher than alternative technologies.

As an example, 74%of all consumers have to reset a password on average once a month. Constantly having to change and remember a new password will no doubt weaken its validity- this type of inconsistency does not apply to voice authentication.

Q: How would it apply to identifying customers? Would they have to verbally give a password? What stops someone using a voice recording?

A: A typical use-case would involve a consumer speaking a passphrase, such as "My voice is my password".

The passphrase itself is not a password.

Typically all consumers using a service would speak the same passphrase and then voice biometrics analyses how a person speaks, rather than what they say.

Reuters

We are typically asked whether this technology is open to manipulation, specifically if voice recordings or impersonators can by-pass the system. Nuance has a number of algorithms to detect recordings and with over 300 organisations using voice biometrics, including over 50 banks, not a single case of fraud has been caused by a recording attack.

Q: In light of the raft of financial scandals out there, does voice recognition help in terms of monitoring and tackling individuals colluding with each other?

A: Nuance's voice biometrics solutions are used effectively by law enforcement agencies to assist with investigations and to support the prosecution and defence of individuals in court.

It has proven to be a powerful tool for both investigators and forensic examiners to assist them with their work by allow officials to spend more time focusing their energies on what they do best – preventing and prosecuting criminal activity.

Just as importantly, the same technologies will ensure that innocent people are effectively cleared of wrongdoing through empirical and accurate analysis of voice evidence.

Q: What types of clients have started to adopt all of these?

A: Financial institutions have been the first adopters of voice biometrics, but telecom, insurance and government organisations have also deployed voice biometrics. The latest statistics from Nuance found that the number of consumers who have enrolled voiceprints with banks, mobile payments providers and other organisations has tripled, from 10 million to 30 million.

In the UK, Barclays Investment and Wealth deployed a passive voice biometrics solution to verify a caller's identity. It has received phenomenal success from a customer service perspective.

Europol Warns Increased Threat As Internet Grows
Europol's headquarters where Troels Oerting runs the European Cybercrime Centre, which is trying to tackle online crime across the European Union.Europol

Other organisations using voice biometrics include Banco Santander Mexico, Turkcell, Vanguard, Tatra Bank, US Bank and Eastern Bank.

Q: Is it expensive and how realistic is it that passwords will become extinct?

A: Due to the increased authentication success rate that voice biometrics provides over alternatives such as password, PINs and security questions, organisations that deploy voice biometrics tend to save more money in reduced operational expenses than it costs to deploy the technology.

As such, there is a strong financial incentive to do so.

From our standpoint, passwords are unlikely to become extinct in the near future due to their prevalence.

However, certain use-cases, such as authenticating apps on a SmartPhone or validating your identity in a contact centre, passwords, PINs and security questions are already on the path of extinction.