He also agreed that it is relatively easy for hackers to get biometric information. “We leave fingerprints on most everything we touch, and both our images and voices are easily recorded without our knowledge or permission,” he said.
But, he said biometrics can still be an effective layer of security if, as FIDO standards specify they are, “limited in scope to only the first of a two-step process that also requires physical possession of the authorized user's personal device.”
That would mean an end to what George Avetisov, CEO of HYPR, terms “centralized authentication,” where a biometric identifier is stored in a database and, “an individual's information is compared against a whole library of others’ similar information at each authentication request.”
With a decentralized system – the one recommended by FIDO – “there is no central storage of biometric data,” he said. When users “enroll” a biometric, like voice, “they do so locally and it is encrypted and stored on-device.
“The hackers would not only have to re-create the voice of the target, they would also have to have physical access to the person’s mobile device, which is exponentially more difficult and economically infeasible,” he said.
The “warehousing” of personally identifiable information (PII), he said, needs to end, since it can (and has) result in, “a catastrophic data breach such as in the OPM (Office of Personnel Management) case,” in which the private data of more than 21 million current and former federal workers was compromised.
In short, if your voice isn’t stored locally on your device, experts say it will become relatively easy for hackers to get into your device, access your bank account and more.
Indeed, Stickland said the technology will likely reach the point where an attacker could even carry on a credible conversation using a target’s voice. “It’s called phishing and it happens every day over email and phone,” he said.
Avetisov agreed, saying voice spoofing will even be able to mimic individual speech characteristics like patterns, cadence and phrasing.
“Machine learning and artificial intelligence is advancing at an astonishing pace and it's only a matter of time before minor imperfections in such a system are identified and resolved,” he said.
But McDowell said machine learning can help the good guys as well. “We are in a new arms race between hackers who are trying to defeat biometrics with higher resolution spoofs, and the biometrics industry that keeps innovating both the sensitivity of their sensors as well as their PAD (Presentation Attack Detection) capabilities,” he said.
Those can include, “having users blink when using a face recognition system or having them say a passphrase when using a voice recognition system, or having the fingerprint sensor read below the skin for characteristics that cannot be spoofed by a fake fingerprint.”
Sign up for CIO Asia eNewsletters.