Security

The future of iris scanning

No-contact scanning is the future of biometrics. Tom Olzak writes that iris scanning is positioned to take a central role.

Biometrics has received a lot of bad press during its short life. Fingerprint technologies have issues many businesses, and security professionals, would rather not deal with.  And then there is the cost.  So is there a technology that may provide security, involve low maintenance costs, minimize management headaches, and is acceptable to users?

The problem with fingerprints

Fingerprint scanning solutions promised a panacea for the tired and embattled password. Either as a standalone solution or as a supporting second-factor for authentication, use of a fingerprint is superficially a great idea. However, the years have shown that early implementers faced challenges still present today:

  • Sensors cost money.  This is okay if they work as advertised. However, the remaining bullets represent hidden costs in addition to those of software and hardware.
  • Users much touch the sensor. In a manufacturing or other environment with impurities in the air and on hands, the sensor quickly becomes unusable. If not unusable, then it is often frustrating to users standing in line while people in front of them try repeatedly before getting a positive response from the system. Further, today’s user is cognizant of the risks associated with touching something used by others. No one knows where the finger has been nor whether a previous user is suffering from a disease capable of hand or other surface transmission. And even if the risk is actually low, user perception may not agree with management’s acceptance of it.
  • And then there is the security issue. Time and again individuals have demonstrated how to “fool” a fingerprint system. Yes, there are solutions with a very high resistance to such attacks. But how many businesses are willing to spend the premium required to upgrade?

There are other issues with fingerprint biometrics, but these will suffice to show why it has disappointed us.

The promise of iris scans

The solution to these issues seems to be a technology that has been around for some time: iris scans. It addresses the provided list of challenges with decreasing management costs, user resistance, and increasing accuracy.  Before demonstrating the benefits, let’s look at how iris scanning works.

As shown in Figure A (howstuffworks.com, courtesy of Iridian Technologies), the iris is the colored portion of the eye.  It is as individual as a retina or fingerprint. Unlike the retina, which lies at the back of the eye and requires a more intrusive scan, the iris is easily scanned with simple camera technology.

Figure A

Scanning the iris requires no physical contact with the sensor.  As shown in Figure B (Gearfuse.com), an individual simply stands within defined proximity and an image is collected and analyzed.

Figure B

Figure B

The technology used for the scan is typically the same used in digital cameras. And as the technology improves, so does the effectiveness of iris scanners. Today, iris scans are as accurate as finger or hand geometry scans.

Finally, the nature of the technology resists counterfeiting. Is it impossible to defeat it as an access control?  Nothing is impossible. However, the level of effort required today is very, very high.

Still has challenges

As the old adage tells us, nothing is perfect. There are still barriers to wide acceptance of iris scanning as a complete business replacement for other types of biometrics:

  1. The cost is high. The reader shown in Figure B is listed at over $2400. This is a big jump over most fingerprint solutions.
  2. The sensors are somewhat cumbersome to place on a user’s desk for second factor for system login.  Although many vendors do supply a USB cable for PC connectivity, this technology looks like it will be relegated to physical security applications in the short term.

The future of iris scanning

Regardless of the challenges, the popularity of iris scanning—and its cousin, facial recognition technology—is growing.  This is particularly true in physical security applications, like those used at some airports and government installations.

To process large numbers of individuals, a biometrics solution must be fast and non-intrusive. Products like Sarnoff’s Iris On the Move (IOM) (video) allows the scanning of up to 30 people per minute from a distance of several feet. The scanned individuals do not even have to stop. Compare this with an expected throughput of 10 to 15 people per minute with high-end hand or fingerprint scanners.

No-contact scanning is the future of biometrics. Iris scanning is positioned to take a central role.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

29 comments
JohnM2SYS
JohnM2SYS

I didn't see any mention of palm vein technology which is a vascular category of biometrics. I would comment that this is also a contactless biometric modality that is catching on in popularity and much more cost effective at the moment than iris recognition. Our studies also show that you are correct that fingerprint hardware sensors are susceptible to increased wear and tear due to end users physically coming into contact with them and raise valid questions of hygenics, however we have been unable to document a single case among our end users of someone who deployed this technology and returned it later on due to this reason. Glad to see iris recognition getting some more coverage and hope this continues to educate the public as to its benefits.

zbatia
zbatia

Perhaps, this issue was already covered by Dan Brown in his book "Angels and Demons" where the hired thief has opened a secret lab with an eye ball of a dead man.

Photogenic Memory
Photogenic Memory

ROFL. This article got me thinking about this video game I played called Aliens versus Predator. I played the Predator and ripped off several researchers heads and used them to open doors that had retinal scanners to reach other levels. It's pretty gruesome but would such a thing work in reality? Would lifeless eyes pass the test? Me thinks not but I don't know why? Also, I have no intention of doing this to anyone. It's just a humorous thought.

stuartc
stuartc

Well at my previous work they had finger print sensors. They never worked for me. I do suffer from very dry skin on my hands and the best they could get was a 50% reading of my fingerprints on the software when scanning my prints. Also as mentioned in this article the fact that you dont know where the previous persons hands were before, thats also just off putting

ErikaBrad
ErikaBrad

Sounds good to me, Much better than Black Thumb!!!

Dr Dij
Dr Dij

I installed one at a major gym in venice. We had the output port hooked to a relay and solenoid. Current was let thru to unlock a turnstyle. The idea was to prevent bodybuilders from giving their membership card to their buddies to workout. We had a turnstyle it controlled which clicked to let them in when positive ID. Problem was that it took too long. minimum 8 seconds or more. So line built up. We went to just swiping their card thru scanner like most Bally's gyms. This takes just about a second. And yes, they can still give their cards to their buddies. Facial recognition is ok but faces change over time. Not sure if one day you'll walk up to it and will say it to you essentially, "you're old now, I don't recognize you" or if you get a broken nose or face lift or other facial surgery it will still recognize you. Anyone had any experience with this?

JCitizen
JCitizen

Thanks Tom! Good information! I rather think facial recognition will surpass retinal scans though. The science on that is improving rapidly, and is getting harder to foil. Now that PC cams are so prevalent, the only significant cost is software. A certain minimum on resolution is required, but that is not that high by today's standard.

Cerebral*Origami
Cerebral*Origami

How to thwart the use of dead fingers. Use infrared to map the blood vessels. This would prevent the use of fake (wax/ inked prints) or dead fingers. My biggest worry with retina scans is the long term exposure to the retina.

Juanita Marquez
Juanita Marquez

From what I understand (unfortunately I don't have the medical literature in front of me), retinas degenerate at 7 minutes after death. This is one of the reasons why full eyeball transplants are currently unfeasable. So a retinal scan would be difficult to achieve unless the eyeball was used immediately. The pupil also dilates at death because the iris muscles are no longer controlled, so an iris scan would be harder to obtain as well. I suppose it may be chemically possible to fix the iris, but I can't think of chemicals which do that off the top of my head. Eyeball curvature affected by enclosure in its socket and surrounding musculature was mentioned earlier. So overall, it may well be safer to do eye scans than I'd previously thought, outside of the radiation/light exposure from the device.

JCitizen
JCitizen

the new facial recognition takes muscle tone, and bone structure into account; kind of like those forensic detectives you see on TV. It would be very difficult to change the face that much, without blowing it away. More than one image is quickly compared, also; which gives it a 3D model to work with.

AnsuGisalas
AnsuGisalas

Total metric! If you take in also posture, movement patterns, ears, eyes, lips - everything is unique... It'd be nonintrusive... and should be pretty fast too. All that is required is the right distill of the features of each parameter.

stevew
stevew

Has anyone considered fooling an eye scanner with a contact lens which had the bio information encoded on the contact and rejected (like beachcomber sunglasses) any light passing through?

Snak
Snak

wouldn't a photograph work just as well as a torn off head, or eyeball? Apologies for silly postioning of this post. I just hit Add Comment.

Dr Dij
Dr Dij

and it should be quicker than iris scanning. Dont' like having contact with body point to spread germs, either. Not that any gym members could possibly have any germs... :)

NexS
NexS

For example, a person begins an 'extra-curricular activity', be it working out, running, yoga, etc. and due to such activities their posture and frame changes? Another way of doing it is to jump into the world of Gataca and use DNA. Or we could have a unique implant inserted into the body which gets scanned. But it would definitely be something that'd have to be done for everyone, probably from birth. Scary thought.

JCitizen
JCitizen

AnsuGisalas. With today's software, you could turn the upper torso into a stick figure that would record attitude of movement, much the way Hollywood animates things digitally. I should think this technology is getting cheaper all the time. The beauty of it, is savings and ROI on equipment; and the scalability toward the future! Nano technology and the way it is read magnetically has already personalized the new magnetic card reading technology. The software uses stoichiometric mathematics to analyze the feedback from such sensing input. Please forgive any spelling mistakes on the technical terms here.

JCitizen
JCitizen

possible. From what I understand about such things, the contact lense would have to be a sophisticated 3D holograph, for such a thing to work; but even then, it would probably be foiled because of the depth measurement the scanner senses. The surface of the iris being somewhat flatter than a curved contact lense, also a problem. I'm pretty sure light wavelength reflected during the scan has to match, also. Even putting a dead person in front of the scanner wouldn't work, because the pressure of the eye creates a certain curvature that is part of the bio-metric measurement. Personally I think facial recognition, which is quickly becoming a solvent science, will quickly eclipses iris/retina scanning, because of the fact that most PCs have cameras now, and the software would be the only thing you would need to purchase. I've been reading that the new and improved facial recognition software is as hard to fool as iris/retina technology.

JCitizen
JCitizen

even wearing a mask molded from the individual will not work with the new technology. Many factors come into play, even though it only takes a newer style PC cam to make it work. From what I gather; (sorry no link), the camera takes more than one photo to make it's comparison, which can give it a 3D comparison model as well. Also it is very sensitive to the points of measurement in the 2D plane, that make any manipulation very difficult for the poser. For example: if you used a death mask taken straight from the original authorized person, it would be warped enough to throw off the measurement. Without the original facial muscle tone, and points of reference, the measurement would always change. Even getting plastic surgery would not throw it off, as the underlying bones structure would still cause a "dead giveaway"! As far as fake eyeballing I address this issue below, in another comment.

JCitizen
JCitizen

compulsive avoid these things in this day of H1N1 flu, and other deadly diseases. I must admit, I am rather clumsy at good practices. I stay away from my elders during flu season, as I know how reckless I am about this type of bio hygiene. Not that I don't take a bath - I just don't wash my hands enough times a day to be really careful! :-&

santeewelding
santeewelding

Allowing your fingernails to grow unabated, are you, like a storied member of the very rich, so as to avoid all contact? (Howard Hughes, run amok)

JCitizen
JCitizen

he should be a publisher! HA! =D

NexS
NexS

Because I think I agree.

JCitizen
JCitizen

I assume you mean, for practical observation, a work of fiction points to a fact(at least).

NexS
NexS

How much is security worth to you? As for DNA imprinting, it'd have to check multiple locations, or such things as a metal detector-type thing, because (and I'll reference it again) Gattaca proves that falsifying tests can be done, albeit difficult.

JCitizen
JCitizen

DNA imprinting is getting truncated more and more in lab equipment design. However, I'm getting more and more against anything left behind, and more for things of outward fact. That way no one can leave something behind that may incriminate you, when you aren't even there. Even amateurs have crafted ways to fool some of the best finger print scanners, and getting DNA samples from people now only requires lifting some saliva from a glass. I am getting more and more interested in facial recognition, where the software can't be fooled by masks, or death masks, etc. Tests against this have resulted in successful rejection of cracking attempts. I like iris or retina scanning, but the equipment is expensive, so far.

JCitizen
JCitizen

as I choke on some of your very ethereal writing! That is a complement, I hope you know! =D

santeewelding
santeewelding

Don't you be worried about spelling. I'm still choking on the words themselves!