Voice Liveness Challenge

While use of an active challenge/response paradigm to confirm liveness of the subject in a biometric authentication system can greatly strengthen security, it also carries with it an added burden on the user. Requesting the user to perform specific extra actions can increase the time to authenticate, increases the likelihood of user error, and can lead to missed detections.

Ultimately this can prevent adoption of the technology. As a result, the TrulySecure Voice Liveness Challenge has been designed specifically with a balance of easeofuse and security in mind. It is robust and highly intuitive, while keeping the enroll and authentication processes relatively quick. It also offers implementation flexibility in the balance of ease of use and security for a given application.

TrulySecure Voice Liveness Challenge

After verifying the user’s passphrase during an authentication attempt, the TrulySecure Voice Liveness Challenge then prompts the user to sequentially speak a short set of two-digit numbers. These numbers are randomly chosen from a set that was previously enrolled by the user.

In order to minimize the time required for the initial enrollment process, this set of enrolled numbers is augmented over time using utterances recorded during the authentication attempts. As described below, the liveness challenge can potentially be configured in various ways to optimize the system for security and ease-of-use.

This system design has a number of significant advantages over other voice liveness challenge options, which are also described below.

Enrollment - The enrollment process consists of first enrolling the user’s passphrase as is currently done in TrulySecure, with the user repeating the passphrase three times. The user is then asked to enroll three twodigit

numbers, each one done using the same process that was used to enroll the passphrase. These numbers are chosen randomly by the system.

Authentication - When the user attempts to authenticate, the system first prompts for his/her passphrase. The system then presents the user with a sequence of three two digit numbers. Two of the numbers are chosen randomly from the set of enrolled numbers, which thus

constitutes the liveness test.

Augmentation - The third number presented to the user is randomly chosen by the system from the set of unenrolled numbers the audio captured from the third number is then used to add that number to the enrolled set for future use as a liveness test.

Enrollment

● User is prompted to repeat a passphrase of his/her choosing (such as “My Voice Is My

Password”) three times

● User is prompted to enroll three twodigit numbers:

○ System displays “27” and the user says “twentyseven”

(this is done three times to complete enrollment of that number)

○ System displays “84” and the user says “eightyfour”

(this is done three times to complete enrollment of that number)

○ System displays “67” and the user says “sixtyseven”

(this is done three times to complete enrollment of that number)

Authentication

● User says user defined passphrase (e.g., “My Voice Is My Password”)

● User is randomly prompted to say two of the twodigit numbers that were enrolled, plus a third two-digit number that is not enrolled (the order may vary)

○ System displays “67” and the user says “sixtyseven”

○ System displays “84” and the user says “eightyfour”

○ System displays “53” and the user says “fiftythree”

● If the utterances of the user’s passphrase and the two enrolled numbers pass the system’s speaker verification test when compared to the corresponding enrollments, the user is authenticated

Augmentation

● The audio for the unenrolled twodigit number (“fiftythree” in this case) is saved for future enrollment once the user has spoken that number three times, the system enrolls it and adds it to the list from which future liveness prompts can be chosen

Benefits

Two digit numbers were specifically chosen as the prompted liveness passphrases for the TrulySecure Voice Liveness Challenge because they offer a number of key advantages:

● They are nearly universal symbols, recognized around the world by speakers of many languages. The corresponding number can be spoken with any accent, without degrading performance, because the underlying verification is language independent.

For that matter, they can be spoken in any language (e.g., “vingtsept” in French rather than “twentyseven”), without any changes to the system. As a result, there is no need for localization of the user interface, which makes the app much easier to maintain (there are fewer versions to manage, and less testing is required for each release). Further, there is no need for language specific voice models (which themselves require significant data collection and tuning work for each language supported), making the download package smaller.

● They have multiple syllables

longer passphrases have better accuracy, and single syllable passphrases (as would be the case for some single digit numbers) are particularly challenging to use.

● They facilitate development of a large enrolled set from which to choose the liveness prompts (for the set of two-digit numbers 1099, there are 90 possibilities).

● They allow the system to be scalable to any desired security

○ More twodigit numbers can be required at enrollment in order to maximize initial security (at the expense of a longer enrollment process)

○ More twodigit numbers can be required at authentication

○ Using numbers also allows for even larger overall number sets for

example, it could include three digit numbers or higher

Liveness challenge in existing biometric systems are sometimes based on single digits. Part of the appeal of single digits is that they are similarly universal to twodigit numbers, and they offer a somewhat parallel experience to textbased onetime passwords, with which consumers are already familiar.

A single digit based liveness check, for example, might require the user to

enroll by speaking the full string of single digit numbers a few times, and then authenticate by speaking a shorter string of digits (e.g., during authentication, displaying “17945”, to which the user is expected to say “one seven nine four five” if he/she is speaking English). There are however some key disadvantages to this method:

● It requires language specific parsing of the utterance to parse each individual digit during enrollment and authentication. If the user has a strong accent, the parsing will be more challenging and less accurate. If the user wants to speak the digits in a different language, a different language model is required to do the parsing.

● It is not as intuitive and robust as the two digit number system if the user misinterprets the cue and does not speak them as digits (e.g., the user says “seventeen nine fortyfive” for the above example), the system will not work. (In the TrulySecure system, all that is required is that the user be consistent in how they interpret and respond to the prompt.)

● The enrollment process is fairly lengthy, requiring all ten digits to be spoken multiple times. Most of the single digits have only one syllable in English, which limits accuracy of the system. This can be compensated for by asking for more digits, but that opens the possibility of an attacker recording a significant portion of the enrolled prompts in a single authentication event.

● The system security is limited by the number of digits and cannot be scaled. Single digit systems are limited to just ten different individual inputs from which to choose at the time of prompt. An attacker who has recorded all or even a subset of those ten digits and can splice them together as needed would have a very good chance of spoofing the system.

Alternative Configurations

One option with the TrulySecure Voice Liveness Challenge for further minimizing the enrollment process is to initially enroll only the user defined passphrase. The numbers are then enrolled over time using the augmentation method described above. As a result, there would be no liveness check for the first few authentication attempts, but the enrolled phrase list would quickly grow and become usable.

Another possible implementation of the TrulySecure Voice Liveness Challenge which has not yet been developed would be to replace the two digit numbers with a different set of nonlinguistic and unambiguous symbols. For example, photos of objects or emojis might work.

One example could be pictures of fruits (banana, orange, apple, pear, etc.). As in the two digit numbers case, the enrolled set could grow over time. As long each individual user consistently translates each symbol to an utterance, the system will scale perfectly.

In fact, having the user choose the challenge type could serve a dual purpose. Authentication systems often have a "reverse authentication" component to them something that proves to the user that the system is real and not a phishing attack. Often this takes the form of an image that is chosen at account creation time. If we allow the user to choose his/her own category of challenge prompts, he/she is also being reassured that the system itself is authentic.