Researchers at the University of Michigan have developed new technique that allows wearables — such as a security-token necklace, ear buds or eyeglasses — to be used to eliminate vulnerabilities in voice authentication, according to a report by Phys.org.

Researchers call sound an “open channel” that can be easily duplicated by novice impersonators and skilled hackers alike.

“Increasingly, voice is being used as a security feature but it actually has huge holes in it,” said Kang Shin, the Kevin and Nancy O’Connor Professor of Computer Science and professor of electrical engineering and computer science at the University of Michigan. “If a system is using only your voice signature, it can be very dangerous. We believe you have to have a second channel to authenticate the owner of the voice.”

Shin and his colleagues have developed a solution called VAuth (pronounced vee-auth), which is a wearable device that can take the form of a necklace, ear buds or a small attachment to eyeglasses.

By continuously registering speech-induced vibrations on the user’s body, security-token necklace, ear buds or eyeglasses pairs the vibrations with the sound of the individual’s voice to generate a completely unique and secure signature.

When people speak, their vibrations can be detected on the skin of their face, throat or chest.

The system takes advantage of the instantaneous consistency between signals from the accelerometer in the wearable security token and the microphone in the electronic device.

The solution allows people to only use voice authentication with their device when they are wearing the security token.

The researchers have developed a prototype using an off-the-shelf accelerometer, which measures motion, and a Bluetooth transmitter, which delivers the vibration signal to the microphone in the user’s device. In addition, they have created matching algorithms and software for Google Now.

“VAuth is the first serious attempt to secure this service, ensuring that your voice assistant will only listen to your commands instead of others,” Shin said. “It delivers physical security, which is difficult to compromise even by sophisticated attackers. Only with this guarantee can the voice assistant be trusted as personal and secure, especially in scenarios such as banking and home safety.”

This procedure is completely different from current voice biometric mechanisms, which require each person to be trained on the device in order to use them, said Kassem Fawaz, who previously worked on the project as a graduate student at the University of Michigan.

“In addition, VAuth overcomes a key problem of voice biometrics,” Fawaz said. “A voice biometric, similar to a fingerprint, is not easy to keep protected. From a few recordings of the user’s voice, an attacker can impersonate the user by generating a matching voiceprint. The users can do little to regain their security as they cannot simply change their voice. On the other hand, when losing VAuth for any reason, the user can simply unpair it to prevent an attacker from using their device.”

Upon being tested with 18 users and 30 voice commands, VAuth achieved a 97 percent detection accuracy and less than 0.1 percent false positive rate, regardless of where it was placed on the body and the user’s language, accent or even mobility.

The team said the solution also prevents a range of practical attacks, such as replay attacks, mangled voice attacks or impersonation attacks.

The researchers also conducted a survey of 952 people to determine their willingness to wear a security token.

“Seventy percent of them said they are willing to give VAuth a serious try in one of the three configurations we developed—and half of them said they are willing to pay $25 more for the technology,” said Huan Feng, who worked on the project as a graduate student and currently works for Facebook.

The team will present the study on VAuth, titled “Continuous Authentication for Voice Assistants,” on October 19 at the International Conference on Mobile Computing and Networking, MobiCom 2017, in Snowbird, Utah.