How to protect your ‘voiceprint’ from identity theft

CARNEGIE MELLON (US) — Computer users know to preserve their privacy by safeguarding passwords, but with the advance of voice authentication systems, protecting unique voice characteristics is going to be just as important.

New technology from researchers at Carnegie Mellon University’s Language Technologies Institute (LTI) will allow people to register or check in on a voice authentication system, without their actual voice ever leaving their smartphone, reducing the risk that voice biometric data could be stolen and used later to access bank, health care, or other personal accounts.

“When you use a speaker authentication system, you’re placing a lot of faith in the system,” says Bhiksha Raj, an associate professor of language technologies. “It’s not just that your voiceprint might be stolen from the system and used to impersonate you elsewhere.

“Your voice also carries a lot of information—your gender, your emotional state, your ethnicity. To preserve privacy, we need systems that can identify you without actually hearing your voice or even keeping an encrypted record of your voice.”

Raj and Manas Pathak, a recent PhD graduate of the LTI, have devised a method for converting a voiceprint—a spectrogram that represents the acoustic qualities of speech—into alphanumeric strings that can serve as passwords.

Their work will be presented as a keynote address September 21 at the Information Security Conference in Passau, Germany.

Because a person’s voice never sends the same signal twice, even when repeating the same word or phrase, converting the voiceprint into a single password won’t do. Instead, the new system uses different mathematical functions to generate hundreds of alphanumeric strings.

To authenticate the user, the system compares all of the strings with those that the system has on file from the initial registration; if enough of the strings match, the user is authenticated.

The system also adds what the researchers call “salt”—a random string of digits unique to each smartphone—to the alphanumeric strings to provide an additional level of security. In tests using standardized speech datasets, Raj and Pathak found that their system was accurate 95 percent of the time.

The privacy-preserving method is computationally efficient, so it could be used with most smartphones, they say.

But Raj also warns that improving the security of voice authentication systems would be just a first step to protecting privacy overall. “With increasing use of speech-based services, such as the iPhone’s Siri assistant or personal videos uploaded to YouTube, the issue of the privacy of users’ speech data is only just beginning to be considered,” he says.

In addition to Raj and Pathak, Jose Portelo, and Isabel Trancoso of INESC-ID in Lisbon, Portugal, contributed to this research. This work was supported by the National Science Foundation and Portugal’s Foundation for Science and Technology (FCT).

Source: Carnegie Mellon University

chat4 Comments

You are free to share this article under the Creative Commons Attribution-NoDerivs 3.0 Unported license.


  1. Leroy McKane

    My friends like too keep their passwords on their phones but I’m pretty worried that if I do that, my phone may be stolen and they’ll totally have all my passwords.

  2. Jo Mills

    It’s amazing the amount of ways we are all at risk, especially as technology is constantly improving and developing. It’s so important to do as much as you can to prevent it and people’s awareness of this topic will certainly have a positive impact and make them more vigilant.

  3. concerned

    Just had my first encounter wth google voice random “you are now being recorded” during a phone call. I’m concerned voiceprint was collected. This is a known issue since 2010 for google yet it seems nothing has been done to prevent it.

  4. Jeremy Erikson

    Wow, this is interesting research. I’m always concerned about how much of my private data is available to others online. Especially since identity theft seems to be an increasingly common crime. Personally I think that voice authentication on it’s own is not enough, but I do like the idea of the “salt” binary string that authenticates the phone too. I wonder what is the current status of this project. Do they have a website?

We respect your privacy.