Slashdot Mirror

← Back to Stories (view on slashdot.org)

DIY Iris Scanning?

Posted by ryuzaki0 on from the home-made-security dept.

gadzook33 asks: "There have been rumors floating around about DIY iris scanning, using digital cameras for biometric security. Iris scanning presents a fantastic alternative to password-based authentication but hasn't really come to our desktops yet. I've looked around but can't find any concrete material on the subject. Is anyone doing this? Are there any efforts to develop open software for this sort of thing? Are patents holding things up? Given that passwords are an almost defunct technique for protecting data in certain situations, it would be nice to have an alternative."

54 comments

  1. Don't Look! by SEWilco · · Score: 0, Offtopic

    When I first tried to read this article and got "Nothing for you to see here. Please move along."

    1. Re:Don't Look! by __aaclcg7560 · · Score: 1

      You failed the DIY iris scanner test. You need to pluck out an eyeball and wave it around in front of the scanner's TP cardboard tube for it to register. A typical newbie problem.

    2. Re:Don't Look! by rts008 · · Score: 2, Funny

      RTFM, n00b!
      Oh, and carry a few spare eyeballs with you- you know...backups!

      --
      Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
    3. Re:Don't Look! by WilliamSChips · · Score: 1

      My guess? They hadn't yet said "Open the iris!"

      --
      Please, for the good of Humanity, vote Obama.
    4. Re:Don't Look! by Anonymous Coward · · Score: 0

      You can't gouge out an eye to fool a retinal scanner. The eye deteriorates too rapidly to make that a practical option.

  2. eye scanner by indy_Muad'Dib · · Score: 2, Insightful

    it seems to be quite possible with a very high resolution camera, something +4mpixels

    1. Re:eye scanner by cloricus · · Score: 1

      I'm guessing Digg is down as the last few news stories seem to have Diggs level of comments...

      The problems I see with using cameras to take the picture is you'd have to have some form of size reference to do the mapping and have some points that align the sample to be compared. Lighting and visual mistake could also cause problems. On top of that dealing with damage (short or long term) to the eye would be a huge problem...Imagine a scratch to your eye or if you had a blood shot eye. So in reality passwords are needed for this situation anyway which makes doing some thing like this, at least home brew, a waste of time in the near future until the tech gets better.

      The simple solution is to rely on pass phrases for the short term and do some thing about your paranoia. :)

      --
      I ate your fish.
  3. Why would I want to... by YowzaTheYuzzum · · Score: 4, Funny

    ... give anyone an incentive to gouge out my eyeballs?

    1. Re:Why would I want to... by Anonymous Coward · · Score: 0

      For real. Hasn't anyone seen Demolition Man?

    2. Re:Why would I want to... by __aaclcg7560 · · Score: 1

      Or Minority Report?

    3. Re:Why would I want to... by ResidntGeek · · Score: 1

      Or Angels and Demons?

      --
      ResidntGeek
    4. Re:Why would I want to... by slidersv · · Score: 1

      or Spaceballs

      --
      there is no issue with my network
  4. Better than retina scanning by jamesh · · Score: 5, Funny

    which is where you use a laser to illuminate the back of the eye, and a camera to take a picture of the illuminated retina and then use some sophisticated pattern matching to recognize the unique pattern of scars left by previous scans.

    1. Re:Better than retina scanning by bash_finger · · Score: 0

      Warning do not look into laser with remaining eye

    2. Re:Better than retina scanning by cerberusss · · Score: 1
      and then use some sophisticated pattern matching to recognize the unique pattern of scars left by previous scans
      I dare anyone to write a regex for this.
      --
      8 of 13 people found this answer helpful. Did you?
    3. Re:Better than retina scanning by fyonn · · Score: 3, Interesting

      Retina scans are not likely to injure you, but are considered less acceptable than iris scanning as it gives away too much information. Yes, it can uniquely identify you, but it can also divulge various health issues and show if you're pregnant. This is usually information that employees prefer to reveal on their own, than have the door security guard congratulate or commiserate them about information that they haven't told their partner about yet, or might not even know them selves.

      dave

    4. Re:Better than retina scanning by fyonn · · Score: 2, Interesting

      and of course, it could also be used to affect your future career or health insurance as it reveals to your company things such as high blood pressure, diabetes, drugs use and leukemia. hell, even aids and syphilis.

      things most people would rather keep to themselves.

      dave

    5. Re:Better than retina scanning by cr0sh · · Score: 1

      I was under the impression that retinal scans were less acceptable because they were more invasive. From what I understand, in order for the system to get an accurate scan, it has to keep your eyeball immobile. To do that, a vacuum ring is used, the scan occurs, then the vacuum is released. In other words, the machine requires you to open your eye really wide, then it touches and holds onto your eyeball for a brief moment while it scans the retina. Between this discomfort, and the chance for infectious eye problems being passed between users, retinal scanning has been "back-burnered". Retinal scans are thus only used where the required security needs outweighs the comfort (during or after scanning) of the user.

      --
      Reason is the Path to God - Anon
    6. Re:Better than retina scanning by putigger · · Score: 1

      I work for a biometrics company. There was one product on the market a number of years ago that used a laser. However, one can image the retina for biometric purposes without a laser. In addition, the concept has NEVER been to scar the eye - you simply look at the blood vessels, which are clearly visible. This is no different than with finger and palm vein systems which use infrared to look at blood vessels under the skin. Retinal imaging has a number of advantages from a security point of view, among them being nearly spoof-proof in practice.

    7. Re:Better than retina scanning by putigger · · Score: 1

      What you're talking about is simply one retinal imaging system. See Retica Systems for a company that has a non-contact, non-invasive system.

    8. Re:Better than retina scanning by cr0sh · · Score: 1

      Interesting! I didn't know this - thank you for the link. Looks like (in some manner) they are using the eye's own lens to image the retina - that can't be easy (whether doable by DIY or not is unknown)...

      --
      Reason is the Path to God - Anon
    9. Re:Better than retina scanning by jamesh · · Score: 1

      Was my attempt at humor really that unobvious?

  5. really? by Unknown_monkey · · Score: 5, Funny

    Out of all the things to DIY, what would drive you towards a DIY project involving possibly lasers or bright LEDs and your eyes? Some things you shouldn't go bargain on, like never buy the cheap toiler paper. For both my eyes and my brown eye, I think it's worth spending the cash for premium.

    --
    Why are women so complicated? Find out how little I know here.
    1. Re:really? by jamesh · · Score: 3, Insightful

      This iris is the front part of the eye (See here). No need for any special sort of illumination above a light bulb. The Iris Recognition article on wikipedia is also somewhat informative, it even mentions the problem of cosmetic contact lenses.

    2. Re:really? by sumdumass · · Score: 1

      I wonder, I have eyes that used to change color about every three weeks. It would go between shades of green to blues. Now it takes longer to notice a change but it still does it every so often. Now, If the colors are included in the scan, I could be locked out but what if something happens and the lens above the eye becomes scratched, wouldn't that give false reading too? I'm not talking anything extravigant either, get some dust in your eye and the first rection is to rub it, you could possibly scratch it without knowing.

      Is eye scanning recognition that advanced so it could account for stuff like this on a regular basis? And would this some what allow false psoitives in some other cases>?

    3. Re:really? by Copid · · Score: 1
      I wonder, I have eyes that used to change color about every three weeks. It would go between shades of green to blues. Now it takes longer to notice a change but it still does it every so often. Now, If the colors are included in the scan, I could be locked out but what if something happens and the lens above the eye becomes scratched, wouldn't that give false reading too? I'm not talking anything extravigant either, get some dust in your eye and the first rection is to rub it, you could possibly scratch it without knowing.
      None of those would be a serious problem. The color of the eye isn't really an issue. The scanning system typically works in the near infrared spectrum and is basically analzying texture. There is some difference between darker and lighter eyes, but that has more to do with how much texture is easily extracted, not the actual values extracted. As for scratches, the algorithms most commonly use gabor wavelets, which wouldn't really have significant responses to minor scratches.

      Is eye scanning recognition that advanced so it could account for stuff like this on a regular basis? And would this some what allow false psoitives in some other cases?
      Definitely. It should also be noted that "false positives" (as opposed to the more common failure to match) are vanishingly rare with iris recognition. So rare that even if it were widely adopted, most people would never see it actually occur.
      --
      An interesting anagram of "BANACH TARSKI" is "BANACH TARSKI BANACH TARSKI"
  6. Warning sign on scanner by Anonymous Coward · · Score: 0

    Do not look directly at laser with remaining good eye

  7. Not an alternative... by Zadaz · · Score: 4, Insightful
    Iris scanning presents a fantastic alternative to password-based authentication...
    This is an all too common mistake about biometrics. Security should never rely solely on biometric identification. Unlike a password or a physical key, your biometric information can't be changed. Which is its strength, right? No one can change their fingerprint to match yours!

    However, any system can be spoofed or cracked. And if someone figures out how to feed information into a scanner that looks (to it) exactly like my iris, well then I'm fucked. That person is me anywhere they do an iris scan.

    It would be like someone stealing your passwords and you not being able to change them.

    Useful? Yes. But as an additional level of security, not an alternative.

    1. Re:Not an alternative... by ryanhos · · Score: 2, Interesting

      There is merit in your argument. The basic idea of using biometics as a an additional level of security is unimpeachable. However, you miss two key issues in play here.

      1.) A key and irreplaceable component of any authentication instrument is a revocation feature. You state that biometric passwords are not changeable. Biometrics are just as revokable as passwords. In both cases, the user must recognize that the instrument has been compromised and tell his keymaster. In the password case, you simply change the password. In the biometric case, you must remove that instrument from the authentication whitelist. I think what you're trying to get at here is that biometrics, once revoked, cannot be resued. However, your statement: "That person is me anywhere they do an iris scan." is false because the biometric instrument can be revoked. That person is you everywhere they use a password until that is revoked also....

      2.) Biometrics are growing up. Soon the days of simple image processing will be gone. Additional checks like measuring pupil reaction time, eye movement characteristics, blink characteristics, eye pressure, peripheral vision, visual acuity, etc will be implemented. (Press the button when the line-drawing is in focus (using a new image and different focus path each time.); Press the button when the spot comes into your peripheral vision (same randomness, etc.)) Varying the algorithm by which the image processing software recognizes the eye will also harden iris scanning. All of this works to make biometrics an increasingly attractive ADDITIONAL layer of security. I've always been told that the best security check involves two things: something you have, and something you know. Biometrics can work quite well for the "something you have." part.

      --
      "I threw up my hands in disgust and wondered if it had been such a good idea to have eaten my hands in the first place."
    2. Re:Not an alternative... by Vo0k · · Score: 4, Interesting

      "That person is me anywhere they do an iris scan." is true. Except they get "Sorry, you don't have a clearance" as a reply, just like you do. If a building security is based on iris scan, sure they won't be able to enter after your iris pattern is revoked, but so won't you. Meaning no entry to the building, sorry sir, you must look for a job elsewhere, at least till we update our security system.

      As for 2), the basic feature of biometrics is that it's simple. You touch a surface or look into a lens, and that's all, no typing passwords, no entering codes or searching your wallet for magnetic card. Take it away and you take away half of the charm of biometrics. You only leave the scare "they will knock you out and take your eye out in a dark backstreet to break in" plus vague and unreliable info about high security, which is neither verifiable nor unhackable and definitely doesn't appeal to management.

      It's a bumpy road ahead of biometrics.

      --
      Anagram("United States of America") == "Dine out, taste a Mac, fries"
    3. Re:Not an alternative... by Zadaz · · Score: 4, Insightful

      1) Sure, my biometric permissions are revocable, but not re-issuable. At least no security outfit in their right mind would reinstate your biometric print once it had been broken.

      If simple biometrics become prevalent, then someone stealing my iris print (for example) would pretty much end my life. I wouldn't be able to have a bank account or any other kind of security. Either my accounts would be wide open to whoever had a copy, or no bank would issue an account to a security risk.

      At least until I could grow a new eye. It's identity theft on a very personal level.

      2) Sure, they're getting more advanced. They could hardly be more primitive. However there are two problems with making them more sophisticated:
      a) You can't make security so sophisticated it can't be broken. (duh.)
      b) The more complex a system is the more likely it is to fail. I'm not an expert in the field, but many of the things you propose would ilkley prevent me from accessing my account if I was ill or under the effect of any number of legal drugs. Which is of course unacceptable.

      A system that sophisticated will cost a ton of money. Compare that to to the cost of a card reader and 12 button keypad found on most ATMs. The amount of ATM fraud based on stealing user ID's at the terminal is much smaller than cost of installing and maintaining biometric devices and will be for the foreseeable future.

    4. Re:Not an alternative... by darkonc · · Score: 1
      A revoked biometric still means that the spoofed person is f*cked -- and someone with a spoofed biometric can do massive mischief until the spoof is discovered.

      "No, I'm sorry sir, you did it all yesterday -- I have it right here with a proper biometric scan.... Well -- I'm not trying to accuse you of anything -- but, if you were in Hawaii until this morning, then how did you provide an iris scan here yesterday?"

      A key and irreplaceable component of any authentication instrument is a revocation feature.
      -- and it should change into a 3-layer system .. Something you know (pw), something you have (card), something you are (biometrics). At least with such a 3 layer system, the biometrics are only one part of three. That still doesn't change the fact that someone who can read your biometric has at least an opportunity to spoof that same reading --- Yes, you can add features to the biometric read, but the technology to spoof those features will likely along with the ability to test for them.

      Another big problem is that too many C?Os are going to be told that biometrics are the be-all and end-all of security and you're gonna end up with soooo many biometric-only solutions that use (of course) the cheaper image-only systems and end up gettin spoofed at the most disasterous times possible.

      I've always been told that the best security check involves two things: something you have, and something you know.
      --
      Sometimes boldness is in fashion. Sometimes only the brave will be bold.
    5. Re:Not an alternative... by ipooptoomuch · · Score: 1

      I saw this episode on mythbusters in which they broke into a very *expensive* finger print scanner with a piece of paper. Makes it sound very easy to hack into.

  8. useless by Lehk228 · · Score: 0

    iris scanning is useless, you may as well tattoo your root password tot he back of your neck.

    anyone with a telephoto lens can steal your key

    --
    Snowden and Manning are heroes.
    1. Re:useless by Invidious · · Score: 2, Interesting

      No, they can't. In order to get a good image of someone's iris, particularly without being noticed, you'd need a long (at least 400mm) macro (true macro, 1:1 reproduction) lens with very, very little sperhical abberation or chromatic abberation, and very sharp to boot. And, likely, a buttload of light shining into the person's eye. Since you can't get a lens like that, and it'd be monstrously huge anyway, it's not a problem.

  9. Better Yet, Go Multi-Tier by DumbSwede · · Score: 2, Interesting

    I personally would like to see multi-tier biometric authentication built into the OS. Log on with a password and a finger scan; any File I/O challenge with voice recognition; visit a secure site, submit to iris scan. Mix it up, occasionally challenge with authentication questions when actions seem either dangerous (downloading executables) or deviate from usual usage patterns. How aggressive to be in challenging for authentication and what types should be settable by the user. This kind of thing might be very useful in keeping your teenage kids from downloading Kazza like malware on your family computer, not just keeping your computer secure from crooks and spys.

    --
    Letter To Iran
    1. Re:Better Yet, Go Multi-Tier by corychristison · · Score: 2, Interesting

      Or better yet, you could have a biometric finger-scanning keyboard.

      Each key will be a finger-print scanner. If you type home-row then match the keystrokes to fingers that are supposed to be used. When you press down on a key, it will take a photo/whatever of your finger and analyze it to a small database at the system[/kernel?] level to see if they match up.

      If the finger print doesn't match, keypress is ignored.

      You would need some incredibly quick fingerscanners for each key, and it would be VERY pricey. It would also force you to use home-row, too! :-)

      Possibly incorportate this into the mouse, as well? ... somehow

      Yeah... I need sleep. But it's a thought. Would be VERY hard to crack, esspecially at the kernel level. You wouldn't be able to just swap out keyboards.

    2. Re:Better Yet, Go Multi-Tier by deevnil · · Score: 1

      I wonder if a touchpad could be hacked enough to make a crude fingerprint scanner for, at least, the pesky admin password. I get prompted enough that *everyone* would see me authenticating updates, unlocking the screensaver.. and they would hear the eerie, "Thank you for disabling the countdown. Welcome back." robotic voice. With all the exploding laptops out there, and such a suggestive security through intimidation policy you would be safe from potential intruders so long as they have a sufficiently overactive imagination.

    3. Re:Better Yet, Go Multi-Tier by Anonymous Coward · · Score: 0

      That's a thought in the same way that a tree is the HMS Victory.

  10. Aaargh! Wrong laser! by myowntrueself · · Score: 2, Funny

    I thought I told you to label those buttons, Emory?

    --
    In the free world the media isn't government run; the government is media run.
  11. Password function related to brain function by dascandy · · Score: 0, Offtopic

    Efficiency and effectiveness of passwords is linearly related to your brain's capacity to learn new passwords once in a while and also strongly related to your intelligence in choosing a proper password. If you have a proper password that's not too old, you're safe.

    Too old is related to the strength of the password. In general, you should choose a password for a period of a month or possibly a few months. You then decide how complex it should be to be safe during at least that period, then you choose a password that's within an fair distribution of that class, preferably by explicitly not choosing from another subclass of the passwords that is known to be weaker. If you also calculate in the advances in password cracking you should be able to work out a decent set to choose from.

    Specifically, most system administrators reduce the theory to this: at least 8 characters of which at least one number and at least one special character.

    This doesn't work in more than one way. First of all, the user doesn't know about any generic-spread he or she should be doing and will just pick some word with numbers or characters behind it. That's quite a small subset of the intended target. Users choose such weak passwords because they don't really care about the password or the protection, they just want to get their work done and the password thing including the change-your-password thing is an annoyance you have to live with (in their perspective). If/When their account is hacked (because of the not too bright password) they claim somebody hacked it and that they couldn't have helped the secrets in it leaking out. People don't use passwords for security, people use passwords because somebody tells them to use passwords.

  12. Static Iris Scanning is useless, not dynamic by iendedi · · Score: 4, Informative

    While it is true that one could hold up a photo of your iris to a camera and spoof a static iris scanner, doing the same to a dynamic scanner is not practical.

    What is a dynamic iris scanner? One that looks not only for the unique patterns of the eye, but also simultaneously measures retinal response to stimuli such as dimming and brightening of the display. This is much more difficult to spoof (you would essentially need to build a model of the target's eye that could respond to external stimuli and then hold that up to the scanner).

    Combined with facial recognition, dynamic iris scanning is very potent. First it recognizes your face and then your eye and then the retinal response with stimuli that is timed to be somewhat random. Just don't try to log on after a night of pubbing.

    --

    It is your personal duty to fight for what is right on a daily basis. Ignoring injustice is identical to approving
  13. Standard warning: by Strolls · · Score: 2

    Do not look into laser with remaining eye.

    1. Re:Standard warning: by theonetruekeebler · · Score: 1
      Do not look into laser with remaining eye.
      For years, Steve Wozniak carried around a photo ID card identifying him as a "Laser Safety Officer." In the picture he's wearing an eyepatch.
      --
      This is not my sandwich.
  14. Biometrics is very hard to get right. by gweihir · · Score: 2, Insightful

    Face and Iris recognition have been fooled with printed pictures. Fingerprint sensors with $5 fakes. The list goes on. There is really not a lot of defenses available against this.

    And you cannot change your face or iris, like you can change a password....

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Biometrics is very hard to get right. by WilliamSChips · · Score: 1

      The SGC changed their iris!

      --
      Please, for the good of Humanity, vote Obama.
  15. duh! by Anonymous Coward · · Score: 0

    i didn't have any trouble finding a variety of resources that answer your questions using google.
    why are you asking slashdot ?

    in particular, this looks interesting: http://www.csse.uwa.edu.au/~pk/studentprojects/lib or/
    as did this: http://www.itl.nist.gov/iad/894.03/nigos/mbark.htm l

  16. Little red lights by G1975a · · Score: 2, Funny

    Aren't the little red lights on the bottom of my mouse iris scanners? That's what they told me at work.

  17. How I would do it... by cr0sh · · Score: 3, Informative
    I would start out with a cheap USB web camera. First, I would hack it in some manner to allow it to macro-focus. I would go down to goodwill or a pawn shop and pick up the cheapest, most busted VHS video camera being sold. From this I should be able to get much of the optical components and the needed eyecup.


    I would attempt to obtain a fake eyeball of some sort. While it wouldn't work perfectly, it would give me some sort of method by which to focus with. Mounted with some tape to the eyecup, and then positioned in front of the webcam, I would be able to determine the focus fairly quickly.

    I would then set up some kind of "ring illumination", wherein I would create a "ring" of LEDs - red/green/blue/IR - through which the webcam would peer. Focussing again might have to be adjusted. This ring would be set up in such a fashion so that I could trigger which set(s) of LED's would be active at once - likely via USB control, too.

    Once I had that set up, and focussing correct, I would then work on the software. For this DIY project, I would simply set things up to take multiple image captures of my own eye, process the images through some filters to reduce the information to just my iris (cue on the white of eyeball, and black of the pupil), then (in some manner), use these images to create an "eigeniris" image, some kind of "average" of all the images I took (over several days or months, in different levels/conditions, so as to have the best average available). Then, the software could take an image, compare it to the "eigeniris", determine if it falls within range, and use that to trigger or deny access (to whatever).

    That would be the route I would take if I was doing this. Overall, the hardware portion seems the simplest to implement - the software is where you will bog down. Just like any other pattern recognition project, I would imagine...

    --
    Reason is the Path to God - Anon
  18. Idiot. by Anonymous Coward · · Score: 0

    That's not even funny.

    Mods: Mod me informative.