Hong Kong Baptist University (HKBU) recently announced that one of its researchers had developed with a lip motion password for biometric authentication use. The technology observes a person’s lips to gain security authorization, since a user may have specific motions tied to a certain phrase, for example.

Reading Lips

According to HKBU, this system can authenticate a user’s identity by matching the password content with “the underlying behavioral characteristics of lip movement.” Matching the speaker is done through training an artificial intelligence algorithm. Lip shape, texture and motion are all used as data in the training process.

Researchers think this method of authentication may have a big advantage over classic biometric sensors. If a biometric sensor-generated password is compromised, the password generation method itself is no longer as secure, since something like fingerprints cannot be updated or changed.

However, with the lip motion password, a new functional password can be generated simply by saying a different phrase. Additional security benefits to implementing this type of biometric security include voice-based authentication without background noise interference, low rate of mimicry or password forgery and a nonexistent language barrier for global use.

Professor Cheung Yiu-ming, who led the research, explained that “the same password spoken by two persons is different, and a learning system can distinguish them.” How much of a difference is actually found by the learning system was not stated, but it seems to be enough to get around a simple mimicry attack.

Improving Biometric Authentication

Bleeping Computer noted that if lip passwords were used in conjunction with facial recognition software, these passwords can be “almost impossible to crack.” Since the lip motion in all of the authentication attempts would have to come from the same face to be authenticated, it would almost certainly defeat any malicious attack.

Other kinds of attacks were not addressed by HKBU. Recording a user while setting a lip password would give the attacker both parts of the data needed to fool an authentication sentry, for example. Similarly, a man-in-the-middle attack could wait for a generating occurrence to remotely happen, then record the audio and video output for later use.

HBKU said that the method, which received a U.S. patent in 2015, will find uses in electronic payment situations using mobile devices, ATM transactions and as an extra layer to credit card passwords.