November 08, 2013, 12:52 PM — At the entrance to "The Vault," the most secure room within the most protected building operated by security services provider Symantec, an iris recognition system stands guard as the last line of defense.
Employees who make it this far have already swiped access cards and entered PINs at the building's main door, and then placed their fingers in a biometric reader to move beyond the lobby. But the high accuracy rate of iris recognition technology, which uses near-infrared cameras to take a picture of a subject's iris and then applies specialized algorithms to encode the image and match it to an existing record on file, makes it an ideal access control choice at this point. After all, this high-security area holds the cryptographic keys to Symantec's certificate authority business, which provides e-commerce security services to many organizations.
"We have to make sure that no individual can compromise those cryptographic tokens, [and] iris recognition has higher accuracy and less likelihood of false positives," says Paul Meijer, senior director of infrastructure operations at Symantec's identity and authentication division.
Symantec's use of iris recognition technology for an access control system in a setting where security requirements are high and cost is no object represents a classic application of the technology. But as prices have come down and the systems have become easier to use, the technology has been slowly gaining ground in more ordinary business settings in industries such as banking and healthcare.
"Cost has perennially been an issue with iris, but this trend is quickly changing," as cameras, recognition algorithms and software have all improved, says Ram Ravi, a research analyst at Frost & Sullivan.
One reason for the rise in innovation that led to those improvements: the 2005 expiration of a key patent on the mathematical representation of the iris that previously limited what competitors could do. Since that time, open standards have been developed, says Patrick Grother, director of biometric standards and testing at the National Institute of Standards and Technology (NIST).
Until relatively recently, iris recognition systems were mostly deployed by governments, not by businesses, partly because they're so expensive. The largest use of iris recognition today is the Unique Identification Authority of India (UIDAI) project. That initiative, recently recognized by the Computerworld Honors Program, includes iris recognition as part of a national ID system designed to help provide social services for 400 million citizens.
The technology is now making its way to the consumer end of the spectrum. "The use of iris recognition in mobile phones is expected to see a considerable uptake," Ravi says.
AOptix Technologies, a maker of identity verification systems, recently released a software development kit for biometric identification technologies for Apple's iOS mobile operating system. That move, combined with the introduction of fingerprint biometrics in the new iPhone 5S and rumors of a biometric application for Google Glass, will serve to increase interest in all biometrics, including iris recognition, says Nandini Bhattacharya, a senior research analyst at Frost & Sullivan. "Apple, AOptix and Google Glass are just the beginning of this trend. Other mobile manufacturers are likely to soon follow," she says.
Under the Lid
Unlike the retina scans you see in the movies, which shine a bright light through the pupil to capture images of blood vessel patterns at the back of the eye, iris recognition uses a camera to take a photograph of the iris -- the colored portion of the eye.
During fetal development, the eye goes through a process called chaotic morphogenesis that gives each iris its unique appearance. "When the optic nerve comes out of the brain, it essentially pumps out the eyeball, which rips and tears. Striations in the iris are the result of that," says Neil Norman, founder of Human Recognition Systems (HRS).
Iris recognition systems are extremely accurate; they're 100,000 times less likely to produce a false match than facial recognition systems, Grother says. Other benefits: The matching process is very fast and, unlike faces, the eye doesn't change much with age.
NIST recently completed a study on the subject of iris recognition. While face photos on passports are generally replaced every five to 10 years, "the iris is good for decades," Grother says. And because each eye has a unique pattern, vendors offer dual-eye systems, such as the one used in Symantec's Vault, for even higher accuracy. "Ten fingerprints are the gold standard for identification. A pair of irises are at least equivalent to eight or 10 fingers, and maybe more," Grother says.
But accuracy also depends on the integrity of the data, he cautions. While iris recognition technology doesn't require physical body contact (which is considered a plus), it does require the cooperation of the individual, and the type of system used can greatly affect accuracy. "If I take the image with a cellphone camera, the error rate will be much worse," Grother says.
Iris recognition systems need to overcome environmental issues such as reflections, bright sunlight, thick eyeglasses, colored contact lenses and eye conditions that may cause dilation or other changes in the iris. Today, "state-of-the-art iris recognition systems can deal with all of these," says Brian Martin, director of biometric research at MorphoTrust, a developer of identity verification systems.
Functionally, iris recognition cameras aren't much different from digital SLR cameras, except that the light filters over the sensors allow near-infrared light to pass through instead of visible light, says Martin.
Iris recognition systems encode the entire eye structure, following an open standard. And because the process doesn't focus on detailed feature points, a grayscale 640-x-480-pixel image is sufficient. That's one reason why the recognition algorithms can speedily process data and respond quickly. "The old VGA format turns out to be all you need. High resolution is not needed, and in fact would slow things down," says Grother.
Sophisticated, high-end cameras capable of capturing images at distances of 2 meters can cost $30,000 or more, but other models suitable for business use that operate at close range may run as little as a few hundred dollars.
Banking by Eye
For Kamal Al-Bakri, who as general manager at Cairo Amman Bank oversaw the installation of an iris recognition system at 80 branches and 100 ATM locations in Jordan, fraud hasn't been an issue. "We've done more than a million transactions since 2009 with zero fraudulent transactions," he says. The bank recently upgraded to more-accurate dual-eye readers from IrisGuard in Buckinghamshire, England, "to sustain our position as a leader" as competing banks start to use similar technology, he adds.
In Amman, people must present a government ID when banking -- a driver's license isn't sufficient -- but not everyone remembers to bring their IDs when they make a trip to the bank. So Cairo Amman Bank gave its customers the option of registering with its iris recognition system and using it at both the teller window and at ATMs. Customers initially had concerns -- some wondered whether the system would somehow affect their eyes, for example -- so the bank issued a flier with answers to common questions. Today half of its customers use the technology.
The system isn't just more secure, Al-Bakri says; it's also more efficient. With iris recognition, the average time per transaction at the teller window is one minute versus four minutes using traditional authentication methods. As more customers opted for iris recognition, the bank found that it could reduce branch staffing levels from four tellers to two.
Speed and ease of use were key reasons why Gatwick Airport in London added a passenger authentication system that uses iris recognition technology a little more than two years ago. The airport has a departure lounge where both international and domestic passengers congregate prior to boarding. "We had to ensure that people who are traveling domestically stick to their flights and don't swap tickets," says David Rees, IT program lead at the airport.
Now users scan their boarding passes at the security gate, and a video system on a "bio pole" tells them where to look as a camera takes a facial photo and an iris image from a distance of up to 2 meters (6.5 feet). Once the self-service process has completed, the gate opens automatically. The system then uses the iris data to authenticate passengers at each gate as they line up to board their flights.
The system handles as many as 3,000 people per hour during peak times, and an average of 30,000 to 35,000 people each day. "It's very effective," Rees says. The airport just completed a revamp of the system, provided by HRS, integrating it with an enterprise service bus that exchanges data in real time with other systems used to check flights and passengers. "It's not just sticking some cameras onto a pole," he says. "There's a lot of infrastructure that needs to be in place."
Hacking the Iris
Is iris recognition vulnerable to hacks? While it's technically possible to create scenarios to fool iris recognition systems, Patrick Grother, director of biometric standards and testing at NIST, says pulling it off in the real world would be a challenge.
The possibility of spoofing iris recognition systems was addressed during a 2012 Black Hat conference presentation by Javier Galbally. In his talk (summarized in a story on the Electronic Frontier Foundation's website), Galbally argued that iris recognition systems could be fooled by synthetic images that match digital iris codes linked to real irises.
But the process described would require the hacker to steal a template or iris image for the person the hacker wanted to impersonate and then run an iris recognition algorithm against it repeatedly to produce a digital image that would match the eye of the person whose template was stolen, Grother says. "The paper did not address how to [steal] the biometric data or how to then present it to a system successfully," he says.
Another academic researcher, Oleg Komogortsev at Texas State University, argues that it's possible to take a picture of someone's iris from a distance, create a high-resolution printout and successfully present that to an iris recognition system.
Komogortsev advocates for an alternative approach based on tracking eye movements instead of using a still photo of an iris. But Grother says that the cameras themselves have countermeasures designed to detect paper-based photographic images. And under real-world conditions, eye tracking is difficult. For example, pictures often contain reflections from ambient light on the eye, and you get very little detail for people with brown irises, which absorb light. That's why developers of iris recognition systems use specialized cameras designed to use near-infrared illumination instead of natural light, he says.
The cost of cameras for an application like the one at Gatwick can range from $10,000 to $65,000. Gatwick's system uses AOptix InSight models, and the airport has 34 of them, says HRS's Norman.
The system works by automatically locating a passenger's face and capturing the iris pattern while the video offers simple instructions, such as "Please look up" and "Please stand still" and "Please proceed," according to Rees.
At Symantec, Meijer says the closer-range binocular-style cameras used in the latest version of its iris recognition system have also improved considerably. "Before, you had to manually adjust the mirrors to line up with your eye," he explains. "Now it remembers you when you scan your badge. It's more user-friendly."
Iris-centric Law Enforcement
While most organizations use iris recognition as an additional authentication resource, law enforcement agencies in Missouri have made the technology central to everything they do. Missouri was the first state to use iris recognition as the core platform on which to build a statewide law enforcement records management and jail records management system for tracking people as they pass through the criminal justice system, says Mick Covington, director of the Missouri Sheriffs' Association.
The new system, purchased from MorphoTrust and used by sheriff's offices and the Missouri Department of Corrections, starts tracking people the moment they're arrested and booked.
"When someone comes into one of our jails, you get a read back in three seconds that tells you who they are and where they were last," Covington says. Deployed in 55 of the state's 115 counties to date, the system is used by county jails to, for example, identify people, check them in and out for court dates, and make sure medication is delivered to the right person at the right time.
The system will eventually upload iris data to a state repository that will in turn upload the data to the FBI's Next Generation Identification (NGI) database. The fact that the system doesn't require touching the individual is an advantage in a prison setting, Covington says, and the technology requires minimal staff training. "The quality of the images is much better now," he says. "And the machines are more user-friendly and more durable. They're cop-proof."
Iris recognition technology is continuing to evolve and outgrow its spy novel image, as is the manner in which users interact -- or don't interact -- with the systems. The technology is moving beyond what HRS's Norman calls a "coerced method of acquisition" -- exemplified by the types of systems historically used at border crossings and in prisons -- to a more social technology. "Social is if I go to a store and take a soda from a machine using a biometric," he says. "We're on the edge of moving into a personalization stage and away from this security/paranoia type of application. That's the next phase."
Read more about security in Computerworld's Security Topic Center.