Product Reviews

Biometric Security Products: VeriVoice Security Lock

An interesting curiosity—VeriVoice saves keystrokes but doesn't enhance security

I work at lot at a keyboard and have the stiff neck, sore fingers and painful joints to prove it. I'm hoping someday to be able to do most of my work by just talking to my computer. The makers of voice recognition biometric software, however, are not trying to improve my physical health. Instead, they hope to improve the health of your network by preventing unauthorized access. They do so by identifying your unique voice. Some of these systems require elaborate training and expensive hardware. Others can exist on common desktop systems. Instead of entering a user ID and password via the keyboard, you speak a predetermined catchphrase, or repeat randomly selected phrases. If it's really you (or at least if the software can determine that it's you) then you're in. Otherwise you're not.

Product Information

VeriVoice Security Lock (SL) beta
VeriVoice, Inc.
Princeton, New Jersey
(609) 452-9220


VeriVoice is one such product but it's not meant as a foolproof network or computer access system. Instead, it protects your password-protected screensaver. Sort of. As you know, many Windows screenssavers can be turned into password protected system lockouts with the check of a box. Idle systems start the screensavers and only the possessor of the currently logged on user account password can banish the screen saver and access the desktop. After VeriVoice is installed, an attempt to access the screensaver protected system asks for authentication via repetition of a VeriVoice generated number.

Installation, Configuration and Testing
You can install VeriVoice on any Windows 2000 system. You do not have to be in a domain, nor is your usage domain-dependent or restricted. Running the installation (make sure your microphone is working!) sets up the system and provides you the opportunity to "register" your voice. You do so by repeating numerical phrases that are spoken to you and repeated in a dialog box (see figure). I found myself repeating the rhythms of the voice, instead of my own natural ones. This turns out to be not a good idea. When VeriVoice is through with you, you're thanked for registering.

VeriVoice registers your voice by having you repeat numeric phrases.

Next, select a screensaver and check the Password required box. When the screensaver is activated, the system is locked. When you attempt to access the system, VeriVoice requires you to repeat several numerical phrases. From these, VeriVoice creates a template and attempts to match it with the one saved during registration. A match lets you back on the system.

Best Practices, Thoughts
Unfortunately, after three attempts at duplicating your voice print, instead of denying access, VeriVoice gives you the opportunity to key in your password and return to your desktop. In my mind, this invalidates the reason for using VeriVoice in the first place and turns what could be a valuable use of biometrics into little more than a curiosity. Remember, I said that was my opinion. VeriVoice states that this is the way their customers want the service to act. No one wants to potentially lose data by having to reboot to regain access to a system. Besides, allowing only the user back into a "locked" system goes against the normal administrative access policy—if the Windows Lock Computer facility is used instead of a password-protected screensaver, an administrator can unlock the system. If VeriVoice denied this access, they would not be supporting the Windows model.

I'd say VeriVoice is useful for the end user who is forced to use a locking screensaver, but annoyed at having to type in a password when they return from lunch. It did make interesting conversation as my idle system kept starting the screensaver while I spoke on the phone. Soon, I found myself explaining to the caller that I was alone—even though some woman and I were speaking in code. It may just be me, but I'd soon be annoyed by the computer voice asking me to repeat the phrases and soon be mumbling something, anything, three times so finally I could type in my password and get on with it.

About the Author

Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.


comments powered by Disqus

Subscribe on YouTube