Schneier on Security
A blog covering security and security technology.
« Melbourne Water-Supply Security Risk |
| Satellite Tracking Data Made Secret »
March 11, 2005
Speech-Activated Password Resets
This is a clever idea from Microsoft.
We know that people forget their passwords all the time, and I've already written about how secret questions as a backup password are a bad idea. Here's a system where a voiceprint acts as a backup password. It's a biometric password, which makes it good. Presumably the system prompts the user as to what to say, so the user can't forget his voice password. And it's hard to hack. (Yes, it's possible to hack. But so is the password.)
But the real beauty of this system is that it doesn't require a customer support person to deal with the user. I've seen statistics showing that 25% of all help desk calls are by people who forget their password, they cost something like $20 a call, and they take an average of 10 minutes. A system like this provides good security and saves money.
Posted on March 11, 2005 at 1:22 PM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Yeah, but I'd only forget my password on days when I'd lost my voice.
Be thankful the system doesn't require a fingerprint.
I tested several products like this, including the demo from MIT voice lab. But it turns out the error rate is too high (10%-50%), and too sensitive to environmental variables. The current solutions require high-quality microphones and a very quiet room to capture/verify your voice. That is not realistic for consumer use.
With the concept of "voice password reset" an attacker can play telemarketer and social engineer the victim to say the key words necessary to reset the system. Especially if the reset system relies on the user saying his/her name and something they can't forget like their birthday. Even if it is multiple choice the attacker would be able to get lucky.
Another thing is if the system is tied to a home phone number to try and prevent random geographical places from attempting to reset it would be very possible for an attacker to apply brown-boxing in combination with pre-recorded artifacts to bypass the security.
A smarter method would be to use the technology to memorize the user's pattern and then have the user repeat random words to the system (think audio CAPTCHA). This would probably be prone to more error until the voice system technology would improve - thus susceptible to false-positive attacks.
So the problem boils down to reconstruction of voice and speech patterns of random phrases from a relatively small set (a conversation length, say)
does anybody know where the technology is at today for doing that?
Kudos to MS for trying to integrate into AD. I wonder if users would also be able to type a response on the keypad instead of, or in addition to, using voice? Maybe it would have to be licensed separately, as the Microsoft 2004 Keypad Server.
No offense, but presumably every reader would immediately assume that the text the user reads would be have to be chosen differently each time, and randomly.
The question in my mind is this: given that we have the technology to do pattern recognition on variables, features, etc derived from a voice sample, can we not also do pattern synthesis as well? This doesn't feel like a "hard problem" that anyone would be surprised to see an attacker solve.
Can anyone enlighten me re the nature of my misunderstanding?
There are many companies already using voice password reset. It's a lot easier to do than complex dictation since the dictionary is determined by the user (when they choose their own secret prompts) and therefore not anywhere near as difficult as random speech.
I've seen claims of wild success using speech reset:
In early 2003 "more than 40,000 employees have successfully enrolled in the system, and the application is now resetting over 20,000 passwords per month across more than five different back-end systems, taking a significant load off the help desk."
I meant the problem of cracking the system, not implementing it. I wasn't clear.
The article states that users are asked to choose a set of secret prompts. They then answer questions they are asked via phone. Since it's a two-factor system (something you know, something you are) an attacker would need to know the questions to produce the right answers in a voice comparable to the victim's. The complexity of the problem is in proportion to the randomness of the questions. Or if users really lose their password often enough, they might cycle through all their prompts quickly and an attacker could just intercept and record all the possible answers.
I think the beauty of this system is not the actual mechanism, but that it uses existing and pervasive technology (phones) to implement a stronger and more efficient system of self-authentication. Retina, fingerprint, or palm by comparison, would require a complicated system of dedicated readers.
I do not think anyone is saying voice/phones are especially tough to defeat, as seen with the latest VoIP attack tools that simply dump conversations to WAV files for replay.
"No offense, but presumably every reader would immediately assume that the text the user reads would be have to be chosen differently each time, and randomly."
I assumed it would be static. You'd call the system, and a computer voice would say something like: "Repeat after me...."
I don't think it works quite that way, although you might be onto something even more interesting.
Here is the example scenario provided in Microsoft's press release:
"Now consider this comparatively painless scenario using an automated password-reset application: An enterprise worker on a business trip wants to check her e-mail from her hotel room, but she cannot access her account because she has forgotten the new password she received the day before. The worker uses her cell phone to call the voice-activated reset application. The call is answered immediately, and the application reads the cell phone number -- the first of several steps to authenticate the caller's identity.
Next, the application retrieves personal information about the worker -- entered into a Web page upon enrollment -- from a data store such as Microsoft Active Directory. It randomly selects two of four "smart" personal questions and prompts the worker to answer them for verification. If the worker is authenticated, the application then creates a new temporary password, performs the reset, reads back the password over the phone and gives the worker 10 minutes to use it. The worker hangs up, logs on and is immediately asked to change the password."
Concerning attacks against speaker verification, quite a bit of work has been done on this. The work of Gerard Chollet is a good starting point, for example:
"Deliberate Imposture: A Challenge for Automatic Speaker Verification Systems", Proc. of EUROSPEECH, Budapest, Vol. 5, pp. 1971-1974, 1999, G Chollet and D Genoud.
how is this exactly safe against replay attacks? All I have to do is record the person's voice(& bugging is easy if the person does not expect it) and number of secret questions is finite...
A tape recorder could, possibly defeat this, wouldn't it?
"how is this exactly safe against replay attacks? All I have to do is record the person's voice(& bugging is easy if the person does not expect it) and number of secret questions is finite..."
Don't forget the context. This is a backup system for passwords. Passwords are not secure against replay attacks. Passwords are not secure against all sortf of things.
As a backup system for passwords, I think this is an excellent one. Of course there are all sorts of ways to attack it; who cares?
Thanks for the explanations.
So if I understand correctly, it combines the technique of secret questions (the security of which was discounted in the original post) with voice recognition. Thus, it is not as bad as plain pre-arranged secret questions, nor as bad as plain voice recognition.
So if a person chooses his stored questions and answers carefully, in a way that opponents can't predict, then
maybe he's not at too much risk.
And there's an extra hurdle for opponents--they have to immitate the voice sufficiently well to convince a machine.
Of course, this is the same user who forgot his password.... The questions can't be random, and the answers probably aren't difficult to guess. The user had better hope that an adversary doesn't have access to voice samples.
I would think that, unless there is some restriction of the source for the reset requests, an evil credit card company (for example) could poll this system for a question in the middle of their own verification of the given user. It may well be that the user would think nothing of answering such questions at the request of some third party, failing to imagine the way it would be misused even if the question is fresh enough in his/her mind to ring a bell. And of course, in this particular scenario, the voice print is free. :)
True, these voice-augmented personalized questions are better than what a lot of people do for failsafe passwords (which is damningly faint praise :), and ostensibly it doesn't require human intervention. Those are great things, yes. I would hope that nobody would choose this over combining a badge/smartcard with voice recognition, assuming such facilities are available.
It should be hyped as "not especially safe, but pretty cheap anyway."
Maybe the advertising slogan could be "not so accident-prone as WEP." :)
I hope the authors aren't reading this.
> Of course there are all sorts of ways
> to attack it; who cares?
Uhh, why would you implement a system that isn't remarkably better then the current .. ? This system also seems to required far too much personal information for my liking. Phone numbers? Real (rememberable) answers to those stupid profile questions? I don't think so.
Not only haven't I gained a whole lot, I have given much more of my private information away to someone that I might not exactly trust with it; someone who could have major problems with their website and allow anyone to get access to that info.
It also seems that the only point here is not speech, but a seperate channel. Why not send an SMS request for a new password?
Heck, what's wrong with email reset? If my email (specifically my work email) is not secure, I have big problems, least of which is my password to the latest MS conference, or some forum I rarely visit, or something.
It is common practice for companies to know the cellphone numbers of their employees. The whole idea of this system is another way to leverage a robust directory with all sorts of data to validate an identity. In fact, the system could prompt users only for their directory information, but that is obviously less secure than a secret. So instead the system validates a caller's cellphone number, name, etc (that defines their identity) and then uses an automated system (less chance of accidental disclosure/theft) to prompt the caller with a voice-based secret.
This is quite a bit better than calling the helpdesk and having someone on the phone create a new password and then tell you or email it...it's also quite a bit easier/cheaper than trying to implement any other form of biometric identification.
All that being said, and as much as I like the idea in a general sense, this reminds me of the old business pitch that if you install ATMs you will reduce teller costs, or if you install voice-recognition systems in hospitals you will no longer need to pay transcriptionists...somehow the technology never really does as well as the prior human-only process and we all end up paying more to maintain limited aspects of both. Early adopters beware.
I still don't see the advantage of this system over your typical password-reset screen.
In both cases the attacker needs to know the secret; in the phone case they simply need to know the phone number too.
The suggestion is that it confirms the number you are calling from; what about people calling from a private line? A hotel phone? A friends phone? Steal their phone, get access to the info in their account. Validating on the number seems a little useless.
And if we disregard that factor, I don't see it having any advantage over email request.
The cell phone was just an example. The system could require users to call from their cell phone, or not. It shows that you could provide extra control mechanisms for a password-reset.
In the example from the article, we are to believe that the person needs a password reset for their email. Therefore, they can not be reasonably expected to get a new password via email. And if they call the helpdesk for a password reset, they create load on the helpdesk personnel and introduce the risk of someone on the helpdesk knowing their password, even if only for a brief period.
If you prefer a web-based password reset screen, more power to you. But many people do not and phone-based is a different mechanism that seems to be baked into Microsoft's directory -- options are good. A phone-based system will not be "strong" authentication by itself, but it could easily be stronger than web-only (since it requires both something you know AND something you are). And again, the real beauty of the system is that if you set strict password policies users only need access to a phone, which should make them more likely to comply and less likely to demand that they need an indefinite timeout on their passwords to function...
I see, I didn't realise it was specifically about passwords for your email accounts; in that case you are right, some other source is required :)
Isn't this just about voice-recognition stuff being used to automate business functions, not specifically a security thing then?
Re this point:
> (since it requires both something you
> know AND something you are).
How is this so? What is this 'something you are' part? All someone else needs to know is the phone number to call, right? The attacker just then responds to the prompts and gets the password.
I guess I just don't see this being any advantage for 'security'.
It appears to me that the system does not actually include speaker recognition/verification but only speech transcription. It is not biometric, but simply the equivalent of a web-based system with secret questions.
If it's true that it does voice recognition, that would be the 'something you are' part of it, fwiw.
When I read about approaches like this, I wonder whether the day will come when sensitive responses will simply be encrypted against one's public key and delivered via any convenient method. If we made a collective decision to put the effort we spend on these workarounds into doing it the right way, including a little respect for the consumers, it could be done already.
I look at this sort of thing and get pretty annoyed, too, because the question that always comes back to me is, "why are we still using passwords for so many things?" We have had open asymetric authentication systems with publically available code for many years now; why can't we get it together so I can use ssh for authentication to web sites, as well as command-line logins?
It also seems that the only point here is not speech, but a seperate channel. Why not send an SMS request for a new password?
Most of the solutions support both biometric speaker verification and interrogation methods for authentic the user. Solutions can also support RSA secureID authentication and other methods. The decision is higher security vs. higher cost.
So why use voice recognition over email, SMS, or web-based solutions? It's more secure. It is much less susceptible to automated attacks for one. Also, if you are locked out of your system, who is to say you have email or web access. You always will have a phone.
SMS is an interesting idea though. One problem though is SMS, like email, is not a very secure medium.
sir how can i download this software ?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.