March 22, 2017 By Larry Loeb 2 min read

Hong Kong Baptist University (HKBU) recently announced that one of its researchers had developed with a lip motion password for biometric authentication use. The technology observes a person’s lips to gain security authorization, since a user may have specific motions tied to a certain phrase, for example.

Reading Lips

According to HKBU, this system can authenticate a user’s identity by matching the password content with “the underlying behavioral characteristics of lip movement.” Matching the speaker is done through training an artificial intelligence algorithm. Lip shape, texture and motion are all used as data in the training process.

Researchers think this method of authentication may have a big advantage over classic biometric sensors. If a biometric sensor-generated password is compromised, the password generation method itself is no longer as secure, since something like fingerprints cannot be updated or changed.

However, with the lip motion password, a new functional password can be generated simply by saying a different phrase. Additional security benefits to implementing this type of biometric security include voice-based authentication without background noise interference, low rate of mimicry or password forgery and a nonexistent language barrier for global use.

Professor Cheung Yiu-ming, who led the research, explained that “the same password spoken by two persons is different, and a learning system can distinguish them.” How much of a difference is actually found by the learning system was not stated, but it seems to be enough to get around a simple mimicry attack.

Improving Biometric Authentication

Bleeping Computer noted that if lip passwords were used in conjunction with facial recognition software, these passwords can be “almost impossible to crack.” Since the lip motion in all of the authentication attempts would have to come from the same face to be authenticated, it would almost certainly defeat any malicious attack.

Other kinds of attacks were not addressed by HKBU. Recording a user while setting a lip password would give the attacker both parts of the data needed to fool an authentication sentry, for example. Similarly, a man-in-the-middle attack could wait for a generating occurrence to remotely happen, then record the audio and video output for later use.

HBKU said that the method, which received a U.S. patent in 2015, will find uses in electronic payment situations using mobile devices, ATM transactions and as an extra layer to credit card passwords.

More from

How cyber criminals are compromising AI software supply chains

3 min read - With the adoption of artificial intelligence (AI) soaring across industries and use cases, preventing AI-driven software supply chain attacks has never been more important.Recent research by SentinelOne exposed a new ransomware actor, dubbed NullBulge, which targets software supply chains by weaponizing code in open-source repositories like Hugging Face and GitHub. The group, claiming to be a hacktivist organization motivated by an anti-AI cause, specifically targets these resources to poison data sets used in AI model training.No matter whether you use…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Getting “in tune” with an enterprise: Detecting Intune lateral movement

13 min read - Organizations continue to implement cloud-based services, a shift that has led to the wider adoption of hybrid identity environments that connect on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). To manage devices in these hybrid identity environments, Microsoft Intune (Intune) has emerged as one of the most popular device management solutions. Since this trusted enterprise platform can easily be integrated with on-premises Active Directory devices and services, it is a prime target for attackers to abuse for conducting…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today