Okta is looking at a new way to get rid of passwords.
The identity management company wants to patent a multi-factor authentication system that uses AI to analyze a person’s voice and verify their identity. Okta’s system would “allow voice to be one credential type” among several in a multi-factor authentication system – meaning users likely would need to also input some other kind of password to identify themselves.
Okta’s system uses a neural network voice model to identify a user based on a “small number of sample utterances” spoken. It also can work independent of text, meaning it’s less susceptible to relay attacks from multiple devices.
The system can also recognize the same voice even if the user is speaking different phrases or using different tones. According to the patent, Okta does this by training the model to create embedding vectors that capture unique facets of the user’s voice, including pitch, pronunciation or acoustics.
Ari Weil, VP of marketing at cybersecurity firm Cyera, explained why biometric authentication methods are becoming more common: They’re easier to use than a password, which leads to a better user experience, and they’re more trusted by organizations when it comes to fighting fraud.
This last part is especially crucial, as AI deepfakes become more popular and realistic.
AI voices are already so convincing that most humans can’t tell the difference. A recent study out of University College London found that people only correctly identified deepfaked voices 73% of the time. “As the use of machine learning and AI advances… The ability to create and train models using biometrics is becoming an important way to identify that individuals are who they claim to be,” Weil said.
Okta noted the model would account for these fraud attempts. While onboarding a user, the model will store their speech audio data in an embedded vector, then always compare future audio to that data to compute “a degree of similarity” between them.
But biometrics’ uniqueness could also be its downfall. Aubrey Turner, executive advisor for Ping Identity, said that while biometrics can be “harder to steal and reuse, unlike passwords,” if the data is stolen, “you can’t really just infinitely swap them out like passwords.”
AI can be both “a gift and a curse” when it comes to biometric security systems like Okta’s, Turner cautioned. Just as AI is being implemented to improve security, “it is also already being used to scale and build more sophisticated phishing attacks, malware and deep fakes.” And in Okta’s case, after two breaches last year, it’s possible some customers’ compromised data could later be used for deepfakes.