Why Every Expert Recommends a Code Word (And Why Nobody Uses One)
Read any article about AI voice cloning scams. Watch any news segment about deepfake fraud. Sit through any cybersecurity briefing about the rise of synthetic media.
At the end, you’ll always find the same advice:
“Create a secret word or phrase with your family members to verify their identities.”
The FTC warns that scammers are using AI to enhance family emergency schemes, and has launched a Voice Cloning Challenge to encourage countermeasures. Europol has issued specific guidance to law enforcement about the risks of deepfake crimes. Every cybersecurity firm, every law enforcement agency, every fraud prevention expert arrives at the same conclusion.
It’s the single most consistent piece of guidance in the entire deepfake prevention space. And it’s absolutely right.
Why code words work
The brilliance of a code word is that it sidesteps the entire deepfake problem.
It doesn’t matter how perfect the voice clone is. It doesn’t matter how realistic the deepfake video looks. It doesn’t matter if the scammer has your name, your address, your relationship details, and a flawless imitation of your daughter’s crying voice.
If they don’t know the code word, they fail. Full stop.
A code word shifts verification from biometric (what someone looks or sounds like) to knowledge-based (what someone knows). Biometrics can now be faked. Knowledge can’t be extracted from a social media profile or an audio clip.
This is why every expert recommends it. It’s conceptually simple, universally applicable, and fundamentally sound.
Why almost nobody actually uses one
And yet - when researchers and journalists investigate actual scam cases, they almost never find a family that had a code word in place. Why?
Nobody gets around to it. Setting up a family code word feels like one of those things you’ll do “this weekend.” It requires getting everyone together (or at least on a group call), agreeing on a word, and making sure everyone remembers it. It’s not hard, but it’s just friction-y enough that it doesn’t happen.
People forget. Even families who set one up often can’t remember it six months later. “Was it ‘pineapple’ or ‘penguin’? I think we changed it at Christmas?”
Static words have a shelf life. A code word that never changes can be overheard, accidentally shared, or even guessed by someone who knows the family well enough. The longer a static secret exists, the less secret it becomes.
Multiple relationships, multiple words. If you need a different code word for each family member (and you should - otherwise one compromised word breaks everything), the memory burden multiplies fast. “What’s my word for Mum vs. my word for Dad vs. my word for my sister?”
It feels silly. Let’s be honest - saying “what’s the code word?” to your grandmother on a normal phone call feels awkward. People don’t want to build a verification ritual into their daily conversations. They want something they can invoke when needed and ignore the rest of the time.
Kids and elderly family members. The people most likely to be targeted (grandparents) and most likely to be impersonated (grandchildren) are also the people least likely to remember and maintain a static code word system.
The result: a universally recommended solution with near-zero adoption.
What a code word should be
If you designed a code word system from scratch, knowing everything we know about human behaviour and the deepfake threat, what would it look like?
Unique per pair. Your code word with your mum should be different from your code word with your sister. If one relationship is compromised, the others stay secure.
Bidirectional. You should be able to verify them and they should be able to verify you. A scammer who somehow learns one side still can’t fake both.
Automatically rotating. The phrase should change regularly, so there’s no long-lived secret that can be overheard, guessed, or extracted over time.
Nothing to remember. The system should generate and display the current phrase for you. No memorisation. No “was it pineapple or penguin?”
Available offline. In an emergency, you shouldn’t need an internet connection or a functioning server to verify someone’s identity.
Protected by biometrics. The phrases should be locked behind Face ID, fingerprint, or a passcode - not visible to someone who picks up your unlocked phone.
Zero setup friction. A QR code scan, and you’re in. No accounts. No email addresses. No phone numbers.
That’s TrustWord
TrustWord is the code word system the experts wish existed when they give their advice. It takes the universally recommended approach and implements it with proper cryptography, automatic rotation, biometric protection, and near-zero friction.
Every pair of people in a circle gets two unique passphrases - one in each direction. They rotate every 2.5 minutes. They’re generated on-device using TOTP-style cryptography (the same approach used by authenticator apps like Google Authenticator or Authy). No server ever sees them. No internet needed after the initial setup.
When you need to verify someone, you ask for their word and check it against your screen. Then they ask for yours. Two words, two directions, mutual verification.
When you don’t need to verify anyone, the app sits quietly on your phone doing nothing. No notifications. No subscription nagging. No data collection.
Free for up to 10 people. That’s enough for most families. No credit card needed. No account to create. Install, create a circle, scan a QR code. Done.
The experts are right: a code word is the best defence against voice cloning and deepfake scams. TrustWord just makes it one you’ll actually use.
If you’ve been meaning to set up a family code word and never got around to it - this is faster. And it actually works.
