Forget fingerprints: Your iris is your new identity
At the entrance to "The Vault," the most secure room within the most protected building operated by security services provider Symantec, an iris recognition system stands guard as the last line of defense.
Employees who make it this far have already swiped an access card and entered a PIN at the building's main door and then submitted a finger to a biometric reader to move beyond the lobby. But the high accuracy rate of iris recognition technology, which uses near-infrared cameras to take a picture of the subject's iris and then applies specialized algorithms to encode the image and match it to an existing record on file, makes it an ideal access control choice. After all, this is the high-security area that holds the cryptographic keys to Symantec's certificate authority business, which provides e-commerce security services to many organizations.
"We have to make sure that no individual can compromise those cryptographic tokens, [and] iris recognition has higher accuracy and less likelihood of false positives," says Paul Meijer, senior director of infrastructure operations at Symantec's identity and authentication division.
Hacking the iris
Is iris recognition vulnerable to hacks? While it's technically possible to create scenarios to fool iris recognition systems, Patrick Grother, director of biometric standards and testing at the National Institute of Standards and Technology (NIST), says pulling it off in the real world would be a challenge.
The possibility of spoofing iris recognition systems was addressed during a 2012 Black Hat conference presentation by Javier Galbally. In his talk (summarized in a story on the Electronic Frontier Foundation's website), Galbally argued that iris recognition systems could be fooled by synthetic images that match digital iris codes linked to real irises.
But the process described would require the hacker to steal a template or iris image for the person the hacker wanted to impersonate and then run an iris recognition algorithm against it repeatedly to produce a digital image that would match the eye of the person whose template was stolen, Grother says. "The paper did not address how to [steal] the biometric data or how to then present it to a system successfully," he says.
Another academic researcher, Oleg Komogortsev at Texas State University, argues that it's possible to take a picture of someone's iris from a distance, create a high-resolution printout and successfully present that to an iris recognition system.
Kogortsev advocates for an alternative approach based on tracking eye movements instead of using a still photo of an iris. But Grother says that in addition the cameras themselves have countermeasures designed to detect paper-based photographic images. And under real-world conditions, eye tracking is difficult. For example, pictures often contain reflections from ambient light on the eye, and you get very little detail for people with brown irises, which absorb light. That's why developers of iris recognition systems use specialized cameras designed to use near-infrared illumination instead of natural light, he says.
Robert L. Mitchell
Symantec's use of iris recognition technology for an access control system in a setting where security requirements are high and cost is no object represents a classic application of the technology. But as prices have come down and the systems have become easier to use, the technology has been slowly gaining ground in more ordinary business settings in industries such as banking and healthcare.
"Cost has perennially been an issue with iris, but this trend is quickly changing," as cameras, recognition algorithms and software have all improved, says Ram Ravi, a research analyst at Frost & Sullivan.
One reason for the rise in innovation that led to those improvements: The 2005 expiration of a key patent on the mathematical representation of the iris that previously limited what competitors could do. Since that time, open standards have been developed, says Patrick Grother, director of biometric standards and testing at the National Institute of Standards and Technology (NIST).
Until relatively recently, iris recognition systems were mostly deployed by governments, not by businesses, partly because they're so expensive. The largest use of iris recognition today is the Unique Identification Authority of India (UIDAI) project. That initiative, recently recognized by the Computerworld Honors Program, includes iris recognition as part of a national ID system designed to help provide social services for 400 million citizens.
The technology is now making its way to the consumer end of the spectrum. "The use of iris recognition in mobile phones is expected to see a considerable uptake," Ravi says.
AOptix Technologies, a Campbell, Calif.-based maker of identity verification systems, recently released a software development kit for biometric identification technologies for Apple's iOS mobile operating system. That move, combined with the introduction of fingerprint biometrics in the new iPhone 5S and rumors of a biometric application for Google Glass, will serve to increase interest in all biometrics, including iris recognition, says Nandini Bhattacharya, a senior research analyst at Frost & Sullivan. "Apple, AOptix and Google Glass are just the beginning of this trend. Other mobile manufacturers are likely to soon follow," she says.
The FBI is on the cusp of adding iris images to its database of criminal fingerprints. As part of it Next Generation Identification (NGI) project, which is gradually modernizing the aging Integrated Automated Fingerprint ID System, the agency plans to launch a pilot next summer that could lead to the creation of a nationwide iris identity database for tracking criminals.
Under the lid
Unlike the retina scans you see in the movies, which shine a bright light through the pupil to capture images of blood vessel patterns at the back of the eye, iris recognition uses a camera to take a photograph of the iris -- the colored portion of the eye.
During fetal development, the eye goes through a process called chaotic morphogenesis that gives each iris its unique appearance. "When the optic nerve comes out of the brain, it essentially pumps out the eyeball, which rips and tears. Striations in the iris are the result of that," says Neil Norman, founder of Human Recognition Systems (HRS) in Liverpool, England.
Iris recognition systems are extremely accurate; they're 100,000 times less likely to produce a false match than facial recognition systems, Grother says. Other benefits: the matching process is very fast and, unlike faces, the eye doesn't change much with age.
NIST recently completed a study on the subject of iris recognition. While face photos on passports are generally replaced every five or 10 years, "the iris is good for decades," Grother says. And because each eye has a unique pattern, vendors offer dual-eye systems, such as the one used in Symantec's Vault, for even higher accuracy. "Ten fingerprints are the gold standard for identification. A pair of irises are at least equivalent to eight or 10 fingers, and maybe more," Grother says.
But accuracy also depends on the integrity of the data, he cautions. While iris recognition technology doesn't require physical body contact (which is considered a plus), it does require the cooperation of the individual, and the type of system used can greatly affect accuracy. "If I take the image with a cellphone camera, the error rate will be much worse," Grother says.
Iris recognition systems need to overcome environmental issues such as reflections, bright sunlight, thick eyeglasses, colored contact lenses and eye conditions that may cause dilation or other changes in the iris. Today, "state-of-the-art iris recognition systems can deal with all of these," says Brian Martin, director of biometric research at MorphoTrust, a developer of identity verification systems in Billerica, Mass.
Functionally, iris recognition cameras aren't much different from digital SLR cameras, except that the light filters over the sensors allow near-infrared light to pass through instead of visible light, says Martin.
Iris recognition systems encode the entire eye structure, following an open standard. And because the process doesn't focus on detailed feature points, a gray-scale 640-x-480-pixel image is sufficient. That's one reason why the recognition algorithms can speedily process data and respond quickly. "The old VGA format turns out to be all you need. High resolution is not needed, and in fact would slow things down," says Grother.
Sophisticated, high-end cameras capable of capturing images at distances of two meters can cost $30,000 or more, but other models suitable for business use that operate at close range may run as little as a few hundred dollars.
EyeLock, a developer of iris recognition systems in San Juan, Puerto Rico, is designing a consumer-grade system that can be added to tablets and mobile phones at a low enough cost that it shouldn't require an increase in the price of the product, according to chief marketing officer Tony Antolino. EyeLock is a member of the Fast Identity Online Alliance, an industry consortium developing open interoperability standards for iris recognition and other biometric authentication methods for use with online services.
Can iris recognition systems be fooled? While iris recognition has generally been considered extremely secure, academic researchers have come up with scenarios under which the systems could be hacked. But Grother doubts that those scenarios would work in the real world (see "Hacking the Iris").
Banking by eye
For Kamal Al-Bakri, who as general manager at Cairo Amman Bank oversaw the installation of an iris recognition system at 80 branches and 100 ATM locations in Jordan, fraud has not been an issue. "We've done more than a million transactions since 2009 with zero fraudulent transactions," he says. The bank recently upgraded to more-accurate dual-eye readers from IrisGuard in Buckinghamshire, England, "to sustain our position as a leader" as competing banks start to use similar technology, he adds.
In Amman, people must present a government ID when banking -- a driver's license isn't sufficient -- but not everyone remembers to bring their IDs when they make a trip to the bank. So Cairo Amman Bank gave its customers the option of registering with its iris recognition system and using it at both the teller window and at ATMs. Customers initially had concerns, such as whether the system would somehow affect their eyes, so the bank put out a flyer with answers to common questions. Today half of its customers use the technology.
The system isn't just more secure, Al-Bakri says, it's more efficient. With iris recognition, the average time per transaction at the teller window is one minute versus four minutes using traditional authentication methods. As more customers opted for iris recognition, the bank found that it could reduce branch staffing levels from four tellers to two.
The latest cameras are smaller and less expensive than the models the bank deployed with its first system a few years ago, Al-Bakri says, but they're still not cheap -- and neither was the integration project required to get the cameras, ATMs and core banking systems to work together. Al-Bakri declined to discuss costs for competitive reasons. But IrisGuard senior vice president and COO Joe O'Carroll did say that the cost of a fully integrated vertical market deployment varies depending on the systems that must be connected. The average cost ranges from $3 to $6 per bank customer, he says.
"But the cost is irrelevant when compared to the risk you're facing when you use a card and password," Al-Bakri says. "Look at what you're gaining from the system, not just what you're paying for it."
Faster gates at Gatwick
Speed and ease of use were key reasons why Gatwick Airport in London added a passenger authentication system that uses iris recognition technology a little more than two years ago. The airport has a departure lounge where both international and domestic passengers congregate prior to boarding. "We had to ensure that people who are traveling domestically stick to their flights and don't swap tickets," says David Rees, IT program lead at the airport.
Now users scan their boarding passes at the security gate, and a video system on a "bio pole" tells them where to look as a camera takes a facial photo and an iris image from a distance of up to two meters (6.5 feet). Once the self-service process has completed, the gate opens automatically. The system then uses the iris data to authenticate passengers at each gate as they line up to board their respective planes.
The system handles as many as 3,000 people per hour during peak travel times, and an average of 30,000 to 35,000 people pass through the system each day. "It's very effective," Rees says. The airport just completed a revamp of the system, provided by Human Recognition Systems, integrating it with an enterprise service bus that exchanges data in real time with other systems used to check flights and passengers. "It's not just sticking some cameras onto a pole," he says. "There's a lot of infrastructure that needs to be in place."
The cost of cameras for an application like the one at Gatwick can range from $10,000 to $65,000. Gatwick's system uses AOptix InSight models, and the airport has 34 of them, says HRS's Norman.
"These are expensive cameras," Rees admits, but the airport needs high-quality equipment to capture images at a distance and process them quickly. The cameras include features such as optic mirrors that move to automatically accommodate people of different heights.
The trick with systems designed to capture iris images at a distance, Rees says, is to use techniques such as "dynamic signage" or flashing alerts to draw the user's attention to the camera, rather than just trying to solve image acquisition issues through improved optics or better algorithms. "By changing the way we call attention to the camera, we have increased the [iris image] acquisition success rate by 25%," he says.
The system works by automatically locating a passenger's face and capturing the iris pattern while the video offers simple instructions, such as "Please look up" and "Please stand still, thank you" and "Please proceed," according to Rees.
At Symantec, Meijer says the closer-range binocular-style cameras used in the latest version of its iris recognition system have also improved considerably. "Before, you had to manually adjust the mirrors to line up with your eye," he explains. "Now it remembers you when you scan your badge. It's more user-friendly."
Iris-centric law enforcement in Missouri
While most organizations use iris recognition as an additional authentication resource, law enforcement agencies in Missouri have made the technology central to everything they do. Missouri was the first state to use iris recognition as the core platform on which to build a statewide law enforcement records management and jail records management system for tracking people as they pass through the criminal justice system, says Mick Covington, director of the Missouri Sherriffs' Association.
The new system, purchased from MorphoTrust and used by sheriff's offices and the Missouri Department of Corrections, starts tracking people the moment they're arrested and booked.
"When someone comes into one of our jails, you get a read back in three seconds that tells you who they are and where they were last," Covington says. Deployed in 55 of the state's 115 counties to date, the system is used by county jails to, for example, identify people, check them in and out for court dates, and make sure medication is delivered to the right person at the right time.
The system will eventually upload iris data to a state repository that will in turn upload the data to the FBI's NGI database. The fact that the system doesn't require touching the individual is an advantage in a prison setting, Covington says, and the technology requires minimal staff training. "The quality of the images is much better now," he says. "And the machines are more user-friendly and more durable. They're cop-proof."
Iris recognition technology is continuing to evolve and outgrow its spy novel image, as is the manner in which users interact -- or don't interact -- with the systems. The technology is moving beyond what HRS's Norman calls a "coerced method of acquisition" -- exemplified by the types of systems historically used at border crossings and in prisons -- to a more social technology. "Social is if I go to a store and take a soda from a machine using a biometric," he says. "We're on the edge of moving into a personalization stage and away from this security/paranoia type of application. That's the next phase."