Skip the navigation

Forget fingerprints: Your iris is your new identity

Iris recognition finally seems ready to break into the mainstream.

September 30, 2013 06:00 AM ET

Computerworld - At the entrance to "The Vault," the most secure room within the most protected building operated by security services provider Symantec, an iris recognition system stands guard as the last line of defense.

Symantec's vault room
This dual-eye camera guards the entrance to Symantec's "Vault." The LG IrisAccess camera moves to point itself at the users face. The list price for a camera like this is about $3,000.

Employees who make it this far have already swiped an access card and entered a PIN at the building's main door and then submitted a finger to a biometric reader to move beyond the lobby. But the high accuracy rate of iris recognition technology, which uses near-infrared cameras to take a picture of the subject's iris and then applies specialized algorithms to encode the image and match it to an existing record on file, makes it an ideal access control choice. After all, this is the high-security area that holds the cryptographic keys to Symantec's certificate authority business, which provides e-commerce security services to many organizations.

"We have to make sure that no individual can compromise those cryptographic tokens, [and] iris recognition has higher accuracy and less likelihood of false positives," says Paul Meijer, senior director of infrastructure operations at Symantec's identity and authentication division.

Hacking the iris

Is iris recognition vulnerable to hacks? While it's technically possible to create scenarios to fool iris recognition systems, Patrick Grother, director of biometric standards and testing at the National Institute of Standards and Technology (NIST), says pulling it off in the real world would be a challenge.

The possibility of spoofing iris recognition systems was addressed during a 2012 Black Hat conference presentation by Javier Galbally. In his talk (summarized in a story on the Electronic Frontier Foundation's website), Galbally argued that iris recognition systems could be fooled by synthetic images that match digital iris codes linked to real irises.

But the process described would require the hacker to steal a template or iris image for the person the hacker wanted to impersonate and then run an iris recognition algorithm against it repeatedly to produce a digital image that would match the eye of the person whose template was stolen, Grother says. "The paper did not address how to [steal] the biometric data or how to then present it to a system successfully," he says.

Another academic researcher, Oleg Komogortsev at Texas State University, argues that it's possible to take a picture of someone's iris from a distance, create a high-resolution printout and successfully present that to an iris recognition system.

Kogortsev advocates for an alternative approach based on tracking eye movements instead of using a still photo of an iris. But Grother says that in addition the cameras themselves have countermeasures designed to detect paper-based photographic images. And under real-world conditions, eye tracking is difficult. For example, pictures often contain reflections from ambient light on the eye, and you get very little detail for people with brown irises, which absorb light. That's why developers of iris recognition systems use specialized cameras designed to use near-infrared illumination instead of natural light, he says.

Robert L. Mitchell

Symantec's use of iris recognition technology for an access control system in a setting where security requirements are high and cost is no object represents a classic application of the technology. But as prices have come down and the systems have become easier to use, the technology has been slowly gaining ground in more ordinary business settings in industries such as banking and healthcare.

"Cost has perennially been an issue with iris, but this trend is quickly changing," as cameras, recognition algorithms and software have all improved, says Ram Ravi, a research analyst at Frost & Sullivan.

One reason for the rise in innovation that led to those improvements: The 2005 expiration of a key patent on the mathematical representation of the iris that previously limited what competitors could do. Since that time, open standards have been developed, says Patrick Grother, director of biometric standards and testing at the National Institute of Standards and Technology (NIST).