Biometrics has received a lot of bad press during its short life. Fingerprint technologies have issues many businesses, and security professionals, would rather not deal with. And then there is the cost. So is there a technology that may provide security, involve low maintenance costs, minimize management headaches, and is acceptable to users?
The problem with fingerprints
Fingerprint scanning solutions promised a panacea for the tired and embattled password. Either as a standalone solution or as a supporting second-factor for authentication, use of a fingerprint is superficially a great idea. However, the years have shown that early implementers faced challenges still present today:
- Sensors cost money. This is okay if they work as advertised. However, the remaining bullets represent hidden costs in addition to those of software and hardware.
- Users much touch the sensor. In a manufacturing or other environment with impurities in the air and on hands, the sensor quickly becomes unusable. If not unusable, then it is often frustrating to users standing in line while people in front of them try repeatedly before getting a positive response from the system. Further, today's user is cognizant of the risks associated with touching something used by others. No one knows where the finger has been nor whether a previous user is suffering from a disease capable of hand or other surface transmission. And even if the risk is actually low, user perception may not agree with management's acceptance of it.
- And then there is the security issue. Time and again individuals have demonstrated how to "fool" a fingerprint system. Yes, there are solutions with a very high resistance to such attacks. But how many businesses are willing to spend the premium required to upgrade?
There are other issues with fingerprint biometrics, but these will suffice to show why it has disappointed us.
The promise of iris scans
The solution to these issues seems to be a technology that has been around for some time: iris scans. It addresses the provided list of challenges with decreasing management costs, user resistance, and increasing accuracy. Before demonstrating the benefits, let's look at how iris scanning works.As shown in Figure A (howstuffworks.com, courtesy of Iridian Technologies), the iris is the colored portion of the eye. It is as individual as a retina or fingerprint. Unlike the retina, which lies at the back of the eye and requires a more intrusive scan, the iris is easily scanned with simple camera technology.
Figure AGearfuse.com), an individual simply stands within defined proximity and an image is collected and analyzed.
The technology used for the scan is typically the same used in digital cameras. And as the technology improves, so does the effectiveness of iris scanners. Today, iris scans are as accurate as finger or hand geometry scans.
Finally, the nature of the technology resists counterfeiting. Is it impossible to defeat it as an access control? Nothing is impossible. However, the level of effort required today is very, very high.Still has challenges
As the old adage tells us, nothing is perfect. There are still barriers to wide acceptance of iris scanning as a complete business replacement for other types of biometrics:
- The cost is high. The reader shown in Figure B is listed at over $2400. This is a big jump over most fingerprint solutions.
- The sensors are somewhat cumbersome to place on a user's desk for second factor for system login. Although many vendors do supply a USB cable for PC connectivity, this technology looks like it will be relegated to physical security applications in the short term.
The future of iris scanning
Regardless of the challenges, the popularity of iris scanning—and its cousin, facial recognition technology—is growing. This is particularly true in physical security applications, like those used at some airports and government installations.
To process large numbers of individuals, a biometrics solution must be fast and non-intrusive. Products like Sarnoff's Iris On the Move (IOM) (video) allows the scanning of up to 30 people per minute from a distance of several feet. The scanned individuals do not even have to stop. Compare this with an expected throughput of 10 to 15 people per minute with high-end hand or fingerprint scanners.
No-contact scanning is the future of biometrics. Iris scanning is positioned to take a central role.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.