Traditional verification methods such as PINs, passwords and knowledge-based questions have become insecure.
Auraya has developed EVA, an advanced voice security system able to identify authorized users who have provided a voice print to store in the EVA vault, and detect spoofed or manipulated voice inputs in order to better secure the authentication process.
In this interview, Safety Detectives asked Paul Magee, Director and President at Auraya, to show us how government entities, like the New Zealand Government’s Inland Revenue Department, are using EVA to improve their cybersecurity measures and protect sensitive data.
Tell us about yourself and how you got into cybersecurity
I’m Paul Magee, the President of Auraya, and my journey into cybersecurity is intertwined with my passion for leveraging technology to solve complex problems.
I started my journey into the realm of cybersecurity over two decades ago, during my tenure as the CEO of a tech firm focused on physical access control for high-security premises. My experience there, developing solutions that leveraged machine learning to manage physical access, paved the way for the evolution of Auraya’s advanced cybersecurity technologies, which are designed to grant secure and effortless digital access, ensuring that users are authenticated with precision and reliability.
What security threats are you solving with your products and services?
At Auraya, we specialize in combating a wide array of cyber threats, but our primary focus lies in verifying the identity of authorised people so that only authorized people can access secure services. Our biometric authentication helps to combat identity theft, fraud, and unauthorized access.
Businesses across almost all industries, from finance to healthcare, face threats daily from identity theft, fraud and unauthorized access. The consequences of not effectively addressing such threats can range from financial losses to both the organization and its clients as well as reputational damage and potential fines and legal consequences.
The common approach to the issue of digital identity verification has traditionally involved the use of passwords and other knowledge-based questions. Large scale data breaches have highlighted the problem of relying on passwords and knowledge based questions as an effective protection mechanism. In recent times organizations have added device identification to create a two-factor authentication process. Checking that a trusted device is being used relies on the use of an authenticator app or requiring users to enter a one-time passcode delivered to the trusted device by SMS or E-mail.
Whilst adding a device authentication process improves security it often raises the level of complexity for authorized users but provides no real protection against bad actors that have either physical or virtual control of the trusted device.
Auraya’s response to these inadequacies is EVA Voice Biometrics, which ensures that access is granted based on the unique voice characteristics of an individual, thus adding a more personalized and secure layer of protection using something that you always have with you, ‘your voice’.
Whilst fingerprint and faceprints stored on a device can be used to smooth the user experience, bad actors can simply add their own fingerprint or face print to the trusted device if they have control of the device. Auraya’s EVA Voice Biometric Solution allows a person to simply say the one time-passcode (OTP) displayed on the device and then have the voice recording securely sent to the EVA vault where EVA checks that the correct passcode is spoken by the authorized person. The device makes no decisions on this security step meaning that the step up security process is independent of the trusted device.
One specific feature we developed to mitigate threats more effectively than our competitors, is our advanced voice authentication technology that can detect and prevent synthetic voice attacks, where hackers use artificial intelligence (AI) to mimic a user’s voice.
How EVA Voice Biometrics authentication works
Imagine a user attempting to access their bank account via a smartphone app:
Initial Authentication:
The user accesses their account using device-based biometrics like fingerprint or facial recognition, stored on the device itself. These biometrics, however, can be manipulated by an unauthorized actor who might have access to the device.
Authorisation for a Payment:
The user wishes to authorize a significant payment to an account, which can’t be retrieved. To ensure both security and convenience, the user is shown a one-time passcode (OTP).
Voice-Based Authentication:
The user activates the smartphone’s microphone and verbally speaks the displayed OTP. The device securely transmits this digitized voice recording to the EVA vault, where the voice is analyzed by EVA to confirm that the voice transmission is coming from the trusted device.
Real-Time Verification:
- EVA checks whether the message originated from the trusted device.
- EVA confirms that the correct OTP was spoken.
- EVA verifies that the voice used matches the authorized account holder’s biometric profile, detecting any attempts to use synthetic or manipulated voice recordings.
All of the above occurs in real-time. This user-friendly and secure authentication method represents a significant advancement in both cybersecurity and the user experience.
In your opinion, what are the most underrated cybersecurity threats businesses face today?
In my perspective, contemporary cybersecurity challenges extend beyond the realm of technology, encompassing critical considerations associated with human factors and procedural aspects. While technological safeguards are integral, it is important to recognise that the holistic cybersecurity landscape incorporates the synergy of technology, people, and processes.
One notable vulnerability lies in the reliance on single-factor authentication methods. To address this effectively, and to mitigate risks, we encourage the adoption of multi-factor authentication with biometrics. Implementing multi-factor authentication measures mitigates risks and fortifies security postures, as it incorporates multiple forms of verification for user access.
One of the fastest emerging threats pertains to the rapid proliferation of AI-driven tactics like generating synthetic identities and deep fake voices or faces, with the intention of deceiving and committing fraud. It is important to leverage advanced AI technologies that can detect real from fake.
And what do you see coming in the future?
In the future, I see an increase in AI-powered cyber-attacks, making it more important than ever to develop advanced defensive AI technologies. As the digital world continues to evolve, so will the sophistication of attacks, especially with the proliferation of IoT devices. It can be considered an Arms race where every threat developed using AI needs to be countered by building better AI defenses.
The future is AI versus AI (this is not a prediction, but a spoiler!)
Auraya plans to stay at the forefront of these changes by continually evolving our solutions to counter new threats. For instance, we recently released our continuous authentication capability that monitors users throughout their session, not just at the login point.
One current problem is the skills gap in cybersecurity. What’s your take on that?
The cybersecurity skills gap is a tangible problem that impacts the industry globally. One key reason is the rapid evolution of technology, outpacing the rate at which professionals can be trained.
At Auraya, we address this gap by offering continuous professional development for our staff to keep pace with the changing threat landscape. We recruit and retain the best talent and provide a culture that allows for personal growth and fun. We encourage team members to try things that don’t succeed in the hope of discovering new breakthroughs.
For aspiring professionals, this global skill gap actually represents an opportunity – There is a high demand for skilled cybersecurity experts, and those willing to invest in learning.
Your advice to someone wishing to start a career in cybersecurity?
For anyone looking to start a career in cybersecurity, I advise focusing on foundational knowledge and then specializing in areas that are in high demand, such as cloud security or AI. Certifications like CISSP or OSCP can be valuable, but practical experience is paramount.
Start by setting up your own home lab to get hands-on experience. Follow cybersecurity communities, participate in CTF (Capture The Flag) challenges, and never stop learning.
A common misconception is that you need to be a coding expert to succeed in cybersecurity. While technical skills are important, problem-solving and critical thinking are just as vital.
What’s your point of view on the current state of cybersecurity awareness?
The state of cybersecurity awareness is improving, but there is still a significant need for education, especially in small to medium-sized businesses. Awareness campaigns and training programs are essential and should be implemented regularly.
Most of our clients are proactive in their approach to cybersecurity, but there’s a balance to be struck between being proactive and reactive; the landscape is so dynamic that both approaches are necessary.
To stay updated, I regularly consult a mix of resources such as cybersecurity blogs, newsletters, podcasts, and YouTube channels. Keeping a pulse on the industry from multiple sources is crucial.