Slashdot Mirror
DIY Iris Scanning?
gadzook33 asks: "There have been rumors floating around about DIY iris scanning, using digital cameras for biometric security. Iris scanning presents a fantastic alternative to password-based authentication but hasn't really come to our desktops yet. I've looked around but can't find any concrete material on the subject. Is anyone doing this? Are there any efforts to develop open software for this sort of thing? Are patents holding things up? Given that passwords are an almost defunct technique for protecting data in certain situations, it would be nice to have an alternative."
I personally would like to see multi-tier biometric authentication built into the OS. Log on with a password and a finger scan; any File I/O challenge with voice recognition; visit a secure site, submit to iris scan. Mix it up, occasionally challenge with authentication questions when actions seem either dangerous (downloading executables) or deviate from usual usage patterns. How aggressive to be in challenging for authentication and what types should be settable by the user. This kind of thing might be very useful in keeping your teenage kids from downloading Kazza like malware on your family computer, not just keeping your computer secure from crooks and spys.
Letter To Iran
There is merit in your argument. The basic idea of using biometics as a an additional level of security is unimpeachable. However, you miss two key issues in play here.
1.) A key and irreplaceable component of any authentication instrument is a revocation feature. You state that biometric passwords are not changeable. Biometrics are just as revokable as passwords. In both cases, the user must recognize that the instrument has been compromised and tell his keymaster. In the password case, you simply change the password. In the biometric case, you must remove that instrument from the authentication whitelist. I think what you're trying to get at here is that biometrics, once revoked, cannot be resued. However, your statement: "That person is me anywhere they do an iris scan." is false because the biometric instrument can be revoked. That person is you everywhere they use a password until that is revoked also....
2.) Biometrics are growing up. Soon the days of simple image processing will be gone. Additional checks like measuring pupil reaction time, eye movement characteristics, blink characteristics, eye pressure, peripheral vision, visual acuity, etc will be implemented. (Press the button when the line-drawing is in focus (using a new image and different focus path each time.); Press the button when the spot comes into your peripheral vision (same randomness, etc.)) Varying the algorithm by which the image processing software recognizes the eye will also harden iris scanning. All of this works to make biometrics an increasingly attractive ADDITIONAL layer of security. I've always been told that the best security check involves two things: something you have, and something you know. Biometrics can work quite well for the "something you have." part.
"I threw up my hands in disgust and wondered if it had been such a good idea to have eaten my hands in the first place."
"That person is me anywhere they do an iris scan." is true. Except they get "Sorry, you don't have a clearance" as a reply, just like you do. If a building security is based on iris scan, sure they won't be able to enter after your iris pattern is revoked, but so won't you. Meaning no entry to the building, sorry sir, you must look for a job elsewhere, at least till we update our security system.
As for 2), the basic feature of biometrics is that it's simple. You touch a surface or look into a lens, and that's all, no typing passwords, no entering codes or searching your wallet for magnetic card. Take it away and you take away half of the charm of biometrics. You only leave the scare "they will knock you out and take your eye out in a dark backstreet to break in" plus vague and unreliable info about high security, which is neither verifiable nor unhackable and definitely doesn't appeal to management.
It's a bumpy road ahead of biometrics.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
No, they can't. In order to get a good image of someone's iris, particularly without being noticed, you'd need a long (at least 400mm) macro (true macro, 1:1 reproduction) lens with very, very little sperhical abberation or chromatic abberation, and very sharp to boot. And, likely, a buttload of light shining into the person's eye. Since you can't get a lens like that, and it'd be monstrously huge anyway, it's not a problem.
Retina scans are not likely to injure you, but are considered less acceptable than iris scanning as it gives away too much information. Yes, it can uniquely identify you, but it can also divulge various health issues and show if you're pregnant. This is usually information that employees prefer to reveal on their own, than have the door security guard congratulate or commiserate them about information that they haven't told their partner about yet, or might not even know them selves.
dave
and of course, it could also be used to affect your future career or health insurance as it reveals to your company things such as high blood pressure, diabetes, drugs use and leukemia. hell, even aids and syphilis.
things most people would rather keep to themselves.
dave