Forget Fingerprints: Your Iris is Your New Identity
At the entrance to "The Vault," the most secure room within the most protected building operated by security services provider Symantec, an iris recognition system stands guard as the last line of defense.
Mon, September 30, 2013
Computerworld — At the entrance to "The Vault," the most secure room within the most protected building operated by security services provider Symantec, an iris recognition system stands guard as the last line of defense.
Employees who make it this far have already swiped an access card and entered a PIN at the building's main door and then submitted a finger to a biometric reader to move beyond the lobby. But the high accuracy rate of iris recognition technology, which uses near-infrared cameras to take a picture of the subject's iris and then applies specialized algorithms to encode the image and match it to an existing record on file, makes it an ideal access control choice. After all, this is the high-security area that holds the cryptographic keys to Symantec's certificate authority business, which provides e-commerce security services to many organizations.
"We have to make sure that no individual can compromise those cryptographic tokens, [and] iris recognition has higher accuracy and less likelihood of false positives," says Paul Meijer, senior director of infrastructure operations at Symantec's identity and authentication division.
Hacking the iris
Is iris recognition vulnerable to hacks? While it's technically possible to create scenarios to fool iris recognition systems, Patrick Grother, director of biometric standards and testing at the National Institute of Standards and Technology (NIST), says pulling it off in the real world would be a challenge.
The possibility of spoofing iris recognition systems was addressed during a 2012 Black Hat conference presentation by Javier Galbally. In his talk (summarized in a story on the Electronic Frontier Foundation's website), Galbally argued that iris recognition systems could be fooled by synthetic images that match digital iris codes linked to real irises.
But the process described would require the hacker to steal a template or iris image for the person the hacker wanted to impersonate and then run an iris recognition algorithm against it repeatedly to produce a digital image that would match the eye of the person whose template was stolen, Grother says. "The paper did not address how to [steal] the biometric data or how to then present it to a system successfully," he says.
Another academic researcher, Oleg Komogortsev at Texas State University, argues that it's possible to take a picture of someone's iris from a distance, create a high-resolution printout and successfully present that to an iris recognition system.
Kogortsev advocates for an alternative approach based on tracking eye movements instead of using a still photo of an iris. But Grother says that in addition the cameras themselves have countermeasures designed to detect paper-based photographic images. And under real-world conditions, eye tracking is difficult. For example, pictures often contain reflections from ambient light on the eye, and you get very little detail for people with brown irises, which absorb light. That's why developers of iris recognition systems use specialized cameras designed to use near-infrared illumination instead of natural light, he says.