Biometric and Password Authentication Fallacies

We’re taking this opportunity to address a couple of questions that were raised in our recent webinar with Opus Research – Addressing the Achilles Heel of Multi-factor authentication.

The question highlighted a misconception about biometrics in general and voice biometrics in particular. It also highlighted a misconception about the changeability of passwords in the event of being defrauded or hacked.

The questioner was under the assumption that once a biometric of any modality was stolen, hacked, or compromised in any way you can never get it back, whereas passwords can be changed, and the person can continue to have security. So, the question was how we got around this perceived limitation.

Firstly, let’s look at the biometric assumption, that if it’s stolen it’s gone forever. Biometric models held in databases are digital representations of your physiology and that representation is dependent on the biometric modality.

  • A voice biometric model does not contain any audio; it is a digital representation of the distortion your physiology creates on sound and is stored as a series of encrypted digits.
  • It cannot be reverse-engineered into audio; it cannot be played into a microphone and cannot be used in any way whatsoever, apart from its intended purpose in the implementation in which it was created.

Simply put, a stolen voice print is useless to anyone and therefore of no interest to fraudsters.

There is an additional note regarding biometric modalities. If biometric models were stored as images of a face or fingerprint for example and they were stolen, then yes, if it’s stolen, it’s gone forever. This is because those modalities are static or one-dimensional.

Voice, on the other hand, is the only biometric modality that can be two-dimensional.

  • who is speaking? and,
  • what are they saying?

So, if a voice biometric model was just audio (which it’s not) then it could be changed to a different phrase in the same way you can change a password.

The real advantage of this two-dimensional model in the real world can be seen in ValidSoft’s “Precision Biometrics” technology which uses the combination of:

Voice + a One-time-Passcode (OTP) = to create a mathematically stronger model than either single element to guarantee the identity of the user.

It must be the correct speaker speaking the correct digits.

Now let’s look at the argument of if you’re hacked, you can change your password and you’re safe again. If you are one of the 65% of all people who reuse the same password on multiple accounts, which password are you going to change?

The one for the account on which the fraud was perpetrated or every account for every company where you use that password?

If a fraudster accessed your online bank account with a stolen password, it doesn’t mean the password was somehow acquired in a hack on your bank. It also doesn’t mean it was a targeted attack against your bank account.

Your password could have been stolen from a different company’s database where you also have an account and sold and used in a credential stuffing attack – automated attacks on website forms using a stolen username and password pairs, potentially involving millions of hacked records.

Therefore, if you reuse passwords, a hack could have occurred unbeknownst to you at any company where you also have an account. It may be just a matter of time before your password is used in a credential stuffing attack against another company you have an account with.

So, the argument of just changing a password, may not be that simple for most people

To learn more about our enterprise-grade identity-guaranteed products and solutions and how we can help you deliver frictionless passwordless authentication, contact us at