The idea is pretty bad from the standpoint of security, but you can do it.
First of all, you need to use
System.Speech.Recognition
. You need to reference the assembly "System.Speech.dll", which comes with .NET Framework and is found in GAC, so to add a reference, you use the tab ".NET" if the "Add Reference" dialog of Visual Studio. Start here (everything is explained in documentation and code samples):
http://msdn.microsoft.com/en-us/library/system.speech.recognition.aspx[
^].
You will also need to install freely redistributable Microsoft Speech Platform language pack, one or more of them:
http://www.microsoft.com/download/en/details.aspx?id=27224[
^].
The safety problem of authentication is that you should create some dictionary (called grammar, but essentially this is just a dictionary of really existing words in some language, as you need the simplest case of grammar). This shold better be the list of pass phrases, not individual words. The problem is: you have to store all these words somewhere. Event if you can encrypt the words somehow, they all should be submitted in the form of the grammar to the speech recognition engine before recognition and authentication. This moment if very vulnerable, as it is possible to reverse engineer the client and spy on this data after it was decrypted. The dictionary cannot be very long, so it's easy to try out all of the entries and pick the password.
This problems does not exist in the text-mode authentication. The good password is not a word in any language and cannot be pronounced, it should combine letters, digits and punctuation characters. Moreover, the password in its original form is not stored anywhere at all — it is never need for authentication. One of the approached to this is using
cryptographic hash function (
http://en.wikipedia.org/wiki/Cryptographic_hash_function[
^]) of a password. Only the hash is stored on the server part, and hash is compared with hash. It is
infeasible to find an original word from its hash, so nobody can know the password even having full access to all server data.
Needless to say, using a voice password is first of all unsafe just because it's pretty easy to eavesdrop the voice, acoustically… :-)
—SA