Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reverse-Engineered Irises Fool Eye-Scanners

Posted by Soulskill on from the now-you-eyes-are-slightly-safer dept.

Maximum Prophet writes "If you've ever had your eyes scanned, be sure to install new ones every 90 days. Wired reports on research being released at Black Hat: 'The replica images, they say, can trick commercial iris-recognition systems into believing they’re real images and could help someone thwart identification at border crossings or gain entry to secure facilities protected by biometric systems. The work goes a step beyond previous work on iris-recognition systems. Previously, researchers have been able to create wholly synthetic iris images that had all of the characteristics of real iris images — but weren’t connected to real people. The images were able to trick iris-recognition systems into thinking they were real irises, though they couldn’t be used to impersonate a real person. But this is the first time anyone has essentially reverse-engineered iris codes to create iris images that closely match the eye images of real subjects, creating the possibility of stealing someone’s identity through their iris.'"

98 comments

  1. First Post by xQuarkDS9x · · Score: 0

    Wow such potential for security.. get your eyes changed every 90 days. :P

    --
    You must master your joystick like a fisherman masters bait! - Gimpy
    1. Re:First Post by Anonymous Coward · · Score: 0

      Wow such potential for security.. get your eyes changed every 90 days. :P

      That's why I have a password for my biometrics.

    2. Re:First Post by Jeremiah+Cornelius · · Score: 1, Funny

      Who'd have thought they could do this? I mean the TSA has been duplicating SPHINCTERS for years, now - but irises are a Van Gough level of complexity!

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    3. Re:First Post by Anonymous Coward · · Score: 0

      Yeah, sphincters are more like a Picasso...

    4. Re:First Post by Anonymous Coward · · Score: 0

      Van Gough. Seriously?

    5. Re:First Post by Anonymous Coward · · Score: 0

      It's written as Van Gogh.

    6. Re:First Post by Jeremiah+Cornelius · · Score: 1

      Dutch.

      The gift that keeps on giving.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
  2. Problem with biometrics by Anonymous Coward · · Score: 1

    If these types of scanners ever become common, all you would need is one untrustworthy scanning station to steal your identity (and then impersonate you at all other stations). And the problem with biometrics, of course, is that they can't be changed. Biometrics were never a good idea.

    1. Re:Problem with biometrics by leonardluen · · Score: 3, Insightful

      biometrics are fine, this just illustrates why you need 2 factor security.

    2. Re:Problem with biometrics by Thundaaa+Struk · · Score: 1

      What if you have a wonky eye like Forest Whitaker...does that make you hack proof?

    3. Re:Problem with biometrics by MerceanCoconut · · Score: 2

      biometrics are fine, this just illustrates why you need 2 factor security.

      Exactly. Biometrics are not secrets. They uniquely identify an individual, but you still need a secret for security.

    4. Re:Problem with biometrics by nautsch · · Score: 1

      Exactly. Biometrics are not secrets. They uniquely identify an individual, but you still need a secret for security.

      And even that is not true, if they are easily copied. The parent is obviously right

      --
      If you find a typo, you may keep it.
    5. Re:Problem with biometrics by Jeng · · Score: 1

      If these types of scanners ever become common, all you would need is one untrustworthy scanning station to steal your identity (and then impersonate you at all other stations).

      So, um, where would one of these untrustworthy scanning stations be set up?

      And the problem with biometrics, of course, is that they can't be changed. Biometrics were never a good idea.

      Biometrics is a very good idea, it just needs to be implemented in a way that doesn't allow one to cheat. Such as when you get your fingerprint scanned the scanner should also do a check to make sure it is actual skin instead of a silicone copy.

      To securely do an iris scan though, that would not only be tough to design, it would also mean that people who wear contacts would not be able to use an iris scanner.

      --
      Don't know something? Look it up. Still don't know? Then ask.
    6. Re:Problem with biometrics by h4rr4r · · Score: 1

      They do not uniquely identify an individual anymore than having my drivers license makes you me. They like all other forms of identification are copyable.

    7. Re:Problem with biometrics by h4rr4r · · Score: 1

      They would be setup at the same place as the trustworthy stations.

      Biometrics is a bad idea, no implementations can save it. The fingerprint scanner will then have to deal with better and better synthetics.

      Requiring a user to slide a contact over is not a huge burden.

    8. Re:Problem with biometrics by Jeng · · Score: 1

      They do not uniquely identify an individual anymore than having my drivers license makes you me. They like all other forms of identification are copyable.

      The problem is not the copying, it is the verification that is the problem. At this time the verification process can be spoofed, that most probably will not always be the case.

      Much like if I went and made a photocopy of your drivers license. The copy may fool other devices that read a license in the same way that the copy was made, but it won't fool more advanced devices. And that photocopy definitely will not fool a police officer.

      --
      Don't know something? Look it up. Still don't know? Then ask.
    9. Re:Problem with biometrics by Jeng · · Score: 1

      They would be setup at the same place as the trustworthy stations.

      Like airports and border crossings? Yes, I guess if it is state sponsored they could put an untrustworthy station in place there, it is just unlikely to ever happen, at that level they probably already have the information. More likely I guess is private organizations that use iris scanners, it would still need to be an inside job though.

      The fingerprint scanner will then have to deal with better and better synthetics.

      And so will those looking to get past the scanner. I would imagine that at some point with fingerprint scanners that they will be looking beyond the fingerprint and also start looking at the capillaries in your fingertip as well.

      --
      Don't know something? Look it up. Still don't know? Then ask.
    10. Re:Problem with biometrics by Anonymous Coward · · Score: 0

      "...They uniquely identify an individual...."

      They were SOLD as uniquely identifying an individual, but it turns out that all they do is pick a bodily feature, measure some points on it, run an algorithm against that data and CLAIM that the result is unique. It turns out that it often isn't, even before people look into how it can be spoofed...

      There, that's fixed that for you....

    11. Re:Problem with biometrics by cayenne8 · · Score: 1

      What if you have a wonky eye like Forest Whitaker...does that make you hack proof?

      Actually close...I think to be totally 'hack proof' you'd have to be Marty Feldman

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    12. Re:Problem with biometrics by MerceanCoconut · · Score: 2

      Your driver's licence uniquely identifies you whether I have it or you have it. Copying your driver's licence doesn't reduce its ability to identify you. However, merely possessing your driver's licence should not be sufficient for me to authenticate your identity. Only you should be able to do that. So biometrics are useful for identification but not authentication.

    13. Re:Problem with biometrics by Anonymous Coward · · Score: 0

      So, um, where would one of these untrustworthy scanning stations be set up?

      At your local optician. Watch out for those human clones, stealing your identity, family and really thinking that they are you when you challenge them for it.

    14. Re:Problem with biometrics by viperidaenz · · Score: 1

      No they don't. They uniquely identify part of an individual. All I need to do to impersonate you is to remove your eye, finger or any other part of you that gets scanned.
      You can torture out someones password, but the easiest way to fool an iris scanner is to pluck out some poor bastards eye. Finger print scanner? Chop off their finger.

    15. Re:Problem with biometrics by Thundaaa+Struk · · Score: 1

      Talk about bedroom eyes!!!

    16. Re:Problem with biometrics by Anonymous Coward · · Score: 0

      Of course if this is that secure of an environment, and the extra security is needed, then there should be someone near that scanner that can also see you putting up the pulled out eye, or chopped off finger.

      But... that probably means paying a security guard or cop or ex-cop or ex-military guy, and that would mean.... {gasp}... less profits.

  3. Why? by Anonymous Coward · · Score: 0

    Why create an iris when the movies showed you can just pull someone's eye out and hold it in front of the scanner?

    1. Re:Why? by xQuarkDS9x · · Score: 2

      Someone has been watching Demolition Man a bit too much I think...

      --
      You must master your joystick like a fisherman masters bait! - Gimpy
    2. Re:Why? by Samantha+Wright · · Score: 1

      Doesn't really invalidate the point—I mean, what it amounts to is that iris scanners, traditionally thought of as extremely high-security items, are only really practical for low-security stuff where it wouldn't be worth the cost/risk/bloodshed/etc. to (a) kidnap someone to prototype from their eyes or (b) take what you need a la carte. You still wouldn't want to use it for a military installation.

      --
      Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
    3. Re:Why? by green1 · · Score: 1

      It seems to me that it would be easy to prevent that particular attack just by checking pupil reaction. If it doesn't react, the eye isn't attached to a living organism and shouldn't be allowed. Additionally, nothing high security should ever be single factor authentication anyway.
      Biometrics done right are really good, biometrics done wrong are our worst nightmare.

    4. Re:Why? by Samantha+Wright · · Score: 1

      That's a good trick—albeit one probably fairly easy to simulate with a decent e-paper display put in place, or a transparent LCD.

      --
      Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
    5. Re:Why? by Black+Parrot · · Score: 1

      Why create an iris when the movies showed you can just pull someone's eye out and hold it in front of the scanner?

      Yeah, Loki can leave his fancy gadget home next time.

      (But I like the palm scanner scene on Red Dwarf better.)

      --
      Sheesh, evil *and* a jerk. -- Jade
  4. Passwords can be changed when compromised... by Kenja · · Score: 4, Insightful

    your iris can not. Well, not without some B grade horror movie level surgery. This is the fundamental issue with biometrics.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:Passwords can be changed when compromised... by WillAffleckUW · · Score: 1

      Actually, you can engineer a virus to alter the DNA. We do it all the time with mice.

      We also do it with adult humans with cancer, so that their cancer growths glow in the dark during surgery. Use the docking receptors on the cells.

      --
      -- Tigger warning: This post may contain tiggers! --
    2. Re:Passwords can be changed when compromised... by Anonymous Coward · · Score: 0

      I contest that. Minority Report was definitely not B grade horror.

    3. Re:Passwords can be changed when compromised... by Maximum+Prophet · · Score: 1

      The clandestine services will simple send their people through with fake iris contact lenses the first time, and once for every identity needed. Then when they need to be "Joe Shablocknic" today, they just select the "Joe Shablocknic" eyes from the kit, and viola, new identity. They'll make the the spy's real eyes are never scanned by a 3rd party.

      What this research shows is that they could send an iris printer with the spy. Then send him the codes for new eyes.

      --
      All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
    4. Re:Passwords can be changed when compromised... by Anonymous Coward · · Score: 0

      You know, it's not necessary to crucify him over getting the horror part wrong.

    5. Re:Passwords can be changed when compromised... by Jeng · · Score: 1

      And if security pulls the person aside and asks the person to please remove their contacts and have another scan?

      --
      Don't know something? Look it up. Still don't know? Then ask.
    6. Re:Passwords can be changed when compromised... by Anonymous Coward · · Score: 0

      your iris can not. Well, not without some B grade horror movie level surgery. This is the fundamental issue with biometrics.

      B grade? B grade! Harrumph, I'll remind you, sir, that this very trick was used by Tom Cruise in Minority Rep... oh, right.

    7. Re:Passwords can be changed when compromised... by MozeeToby · · Score: 1

      Something you have and something you know is the current standard, I see no problem with adding "something you are" into the mix as a third layer.

    8. Re:Passwords can be changed when compromised... by Translation+Error · · Score: 1

      Not to mention that it can make some of your body parts valuable to other people. And not in the good way.

      --
      When someone says, "Any fool can see ..." they're usually exactly right.
    9. Re:Passwords can be changed when compromised... by Maximum+Prophet · · Score: 1

      Well, since you ask, that's when you go to plan 'B'.

      Seriously, you would test the system, first by observing how the guards work, then by sending people through who are expendable, or diplomats with get-out-of-jail black passports. If all that fails, and you get pulled aside for a random search, have a co-worker create a diversion and slip away.

      --
      All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
    10. Re:Passwords can be changed when compromised... by interkin3tic · · Score: 1

      Well, even if you were willing to alter your DNA in an effort to make biometric ID systems viable (and you would be insane), and even if you engineer a retrovirus that can reliably alter a given sequence in your DNA (they tend to insert their small payload at random locations in each cell) there's still the issue of your irises and fingerprints aren't based on DNA and certainly aren't maintained by continued DNA expression.

      Transgenic mice are generally made by homologous recombination in single embryonic stem cells which are then turned into whole mice through a complicated process. So you would need to grow a new human to be able to manipulate DNA like we can in mice, and that's not been done yet. I have yet to hear about DNA sequences correlating to iris patterns, though it could be that no one is particularly interested in looking at something so trivial.

      So... no. We can't. You could conceivably identify DNA regions that correlate to iris pattern, clone yourself and alter the DNA of the one-cell stage, make a chimeric male and female from that, have them mate, then get a fully transgenic human which you could then steal the irises from the abomination that would result and thereby change your iris pattern, but that would require you to break a whole lot of ethics, do several noble-prize level research accomplishments, and wait about 20 years for the two generations of clones to mature, all for something that would be lot simpler to do with a good model or printout.

    11. Re:Passwords can be changed when compromised... by camperdave · · Score: 1

      Actually, you can engineer a virus to alter the DNA.

      Changing your DNA won't change your iris. It has already been built using the previous DNA. You'd have to use the new DNA and grow a whole new eye from it.

      --
      When our name is on the back of your car, we're behind you all the way!
    12. Re:Passwords can be changed when compromised... by WillAffleckUW · · Score: 1

      No, viral insertion works by literal infection of cells. You're confusing germ distribution, where you alter the DNA once, with viral DNA insertion at a spot, which infects a literal cell and uses the cell mechanism via a docking ligand to deliver a target viral payload which inserts itself into the cells DNA.

      We make cancer cells glow so that we can perform surgery on them. It's not the cancer cells we target per se, but all cells. The cancerous cells have certain biochemical characteristics which are used to trigger the phosphorescence tags.

      Then we let the cell death cycle clear it out.

      Modern medicine has changed dramatically in the past few years.

      --
      -- Tigger warning: This post may contain tiggers! --
    13. Re:Passwords can be changed when compromised... by camperdave · · Score: 1

      Nevertheless, changing your DNA will not change your iris, or the gross physical structure of any organ; not until the cells within the organ are replicated according to the new DNA. For example, if I replace the blue iris DNA with brown iris DNA, I will not suddenly have brown eyes. It will take months, or possibly even years for that kind of change to take place, depending on the rate at which iris cells replicate.

      --
      When our name is on the back of your car, we're behind you all the way!
    14. Re:Passwords can be changed when compromised... by Beryllium+Sphere(tm) · · Score: 1

      The photo on your driver's license is a biometric.

      It doesn't have to be kept secret.

      The security comes from the verification process. If you're pulled over while carrying someone else's driver's license, then holding up a picture of that person to the police officer is not going to let you impersonate that person.

      The reason we're used to thinking in terms of secrecy is that it's the only way to make passwords exclusive to particular users.

      I've even seen security professionals get this wrong.

    15. Re:Passwords can be changed when compromised... by mcgrew · · Score: 1

      your iris can not. Well, not without some B grade horror movie level surgery.

      You're calling Minority Report a B grade horror movie??

      --
      Free Martian Whores!
  5. This is why my sister installed Hazel (tm) eyes by WillAffleckUW · · Score: 2

    The advantage is her eye color changes all the way from purple to blue to brown so just think of her eyes as Enhanced Security Eyes.

    --
    -- Tigger warning: This post may contain tiggers! --
  6. Will this be a problem for... by Anonymous Coward · · Score: 0

    ...the folks at the Genesis Project? They seem to keep all their important files secured via retina scans. Wouldn't want that technology falling into the wrong hands.

    1. Re:Will this be a problem for... by NotBornYesterday · · Score: 2

      Retina != iris.

      --
      I prefer rogues to imbeciles because they sometimes take a rest.
  7. Where did the article's photos come from? by NotBornYesterday · · Score: 2

    The image editor didn't even bother to use Photoshop to add the fake iris images ... looks like they used MS Paint or something.

    --
    I prefer rogues to imbeciles because they sometimes take a rest.
  8. Require 2 Factor Verification by DCisforBoners · · Score: 1

    No single or combined biometric is secure. If you want to verify identity you must have at the least, a second factor like a password.

    1. Re:Require 2 Factor Verification by Maximum+Prophet · · Score: 4, Insightful
      3 factors.
      • Something you know -> i.e. Password
      • Something you are -> i.e. Fingerprint
      • Something you have -> i.e. RFID keyfob

      The major problem with *magic* solutions, is that leader types look at them and say "Wow, Iris Scanners, I could never fool one of those, so nobody could fool one." People have the same reaction to physical locks.
      This leads to security theater. Yes, it stops stupid criminals, and yes it can be a good thing when you stop stupid criminals, but when you want to stop people flying airplanes into buildings, or stock traders from racking up $2 billion in fraudulent losses, magic dohickys aren't the solution.

      --
      All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
    2. Re:Require 2 Factor Verification by shentino · · Score: 1

      Maybe we politicians don't want to stop some kinds of criminals.

      Especially white collar criminals giving us part of their take in the form of bribe money.

    3. Re:Require 2 Factor Verification by Maximum+Prophet · · Score: 1

      Good observation. Some forms of crime are more acceptable than others.

      I'm not sure I'm not on board with that. Imagine a world where there was no violent crime or real property theft. If your bank account was stolen, you get it back in 90 days.
      In such a world, keep several bank accounts and several credit cards, and regular normal people are safe.

      If you could live in a world where all crime was crime against large corporations, and all war was cyberware, would you? What would you give up to live there?

      --
      All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
    4. Re:Require 2 Factor Verification by treeves · · Score: 1

      Doesn't this story mean that "Something you are" is really just a second "Something you have"?

      --
      ...the future crusty old bastards are already drinking the Kool-Aid.
    5. Re:Require 2 Factor Verification by PPH · · Score: 1

      "Something you have" is more like a key, RFID card, or other authentication device issued by some authority.

      "Something you are" is not as easily detached from your person as pickpocketing a key card.

      --
      Have gnu, will travel.
    6. Re:Require 2 Factor Verification by Anonymous Coward · · Score: 0

      That's a nice eye/hand/finger you have there... Would be a shame if something were to happen to it...

    7. Re:Require 2 Factor Verification by Anonymous Coward · · Score: 0

      But something you have is a lot safer for you than something you are, when the thug with the big knife wants it.

      In either case, he's going to take it, whether you are able to hand it over voluntarily or not.

    8. Re:Require 2 Factor Verification by Jade_Wayfarer · · Score: 1

      Point is, with advancement of remote scanning techniques your iris could be just as easily picked from distance as any RFID - no need for physical contact as with the physical key, for example. So, unless you are planning on wearing some advanced sunglasses all the time, your iris essentially becomes "something you have", nothing more.

      --
      Absence of proof != proof of absence.
    9. Re:Require 2 Factor Verification by booch · · Score: 1

      I believe that there's a 4th kind of factor: something you can do. For example, you might be able to pick out some of your favorite items, even though you don't remember which favorite items you registered. Or you might be able to type your password in a different rhythm than anyone else can (without a lot of practice); again, it's not something that you can memorize/remember/know, and it's not really something that you are or have. Bruce Schneier has an article on one of these kinds of authentication factors.

      --
      Software sucks. Open Source sucks less.
  9. less unique by harvey+the+nerd · · Score: 1

    This news makes me feel less unique as an American.

  10. Lock and the lock pick. by steelfood · · Score: 4, Insightful

    New technology is nice and all, but for every lock ever created there will be a lock pick for it.

    The only thing is, the more expensive the lock, the more expensive the lock pick is supposed to be. That's the real measure of the effectiveness of a lock. I.e., an expensive lock that can be picked in an inexpensive manner is an ineffective lock.

    --
    "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
    1. Re:Lock and the lock pick. by Anonymous Coward · · Score: 0

      The value of the lock is not the cost of the lock, but rather the value of what is being locked up.

    2. Re:Lock and the lock pick. by Maximum+Prophet · · Score: 1

      You don't have to fool the criminals to sell an expensive lock. You just have to fool management at the corporate or government level.

      --
      All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
    3. Re:Lock and the lock pick. by Anonymous Coward · · Score: 0

      Idiotic. A $0.05 cardboard box with a lock drawn on it with a $1mil painting inside is not as valuable as a high-security safe with a $1mil painting inside.

    4. Re:Lock and the lock pick. by Anonymous Coward · · Score: 0

      Recent Story illustrating this exact point

      http://hardware.slashdot.org/story/12/07/25/1326225/open-millions-of-hotel-rooms-with-arduino

    5. Re:Lock and the lock pick. by s.petry · · Score: 1

      People had to know this was coming, it's painfully obvious and is obvious with all such technology. Algorithms are used to validate, and one only needs to do reverse engineering of 2 aspects. 1) Math function to match data. 2) input mechanism used to get test data.

      The same thing was done with fingerprint scanners, and why we did not have a mass adoption. Jello was found to be the easiest way to lift and place fingerprints (This trick was used at a DOD site during our pilots.)

      This is why most secure areas have numerous layers of security. Door 1) 2 factor Auth, Door 2) fingerprint or Iris, Door 3) a 2 factor Auth with different information than Door 1.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    6. Re:Lock and the lock pick. by Mitreya · · Score: 1

      That's the real measure of the effectiveness of a lock. I.e., an expensive lock that can be picked in an inexpensive manner is an ineffective lock.

      Locks can also be changed once someone steals and duplicates your key. Even the crappiest lock can be replaced.
      Good luck replacing your iris once a copy is out in the wild.

    7. Re:Lock and the lock pick. by Anonymous Coward · · Score: 0

      Similar to American gun control laws ( typed with a hint of sarcasm).
      Laws taking guns away from the masses will leave only the criminals armed resulting in a 99% reduction of innocent life loss. Unfortunately there will still be death but a lot less due to the lack of easy access.

  11. not quite by poetmatt · · Score: 1

    If I recall correctly, I do believe it has been said that even wearing contacts due to development of new veins can change your iris over time. Unless that was specific to your retina?

  12. Ob. Demolition Man reference by Tastecicles · · Score: 4, Funny

    If Simon Phoenix wants my iris code, hell he can just have a photocopy! Fuckhead... I'll keep both my eyes.

    ["Tastecicles, you are fined one credit for violation of the Verbal Morality Statute."]

    --
    Operation Guillotine is in effect.
  13. Does anyone remember the 3-factor security? by Anonymous Coward · · Score: 0

    Something you have, something you know, something you are.
    A (physical) key, a password, and a retina-/iris-/finger-print. That way they have to keep you alive until the door is open

    1. Re:Does anyone remember the 3-factor security? by nautsch · · Score: 1

      Please read the story! This is exactly what this is about. They can copy your iris (what you are), steal your key and hurt you to give them the password. After that there is no need to keep you alive.

      --
      If you find a typo, you may keep it.
    2. Re:Does anyone remember the 3-factor security? by ZeroSumHappiness · · Score: 1

      Unfortunately, all three of those are really just "something you know."

      If I have a 5-pin tumbler key and each pin has a depth setting of 0-5 then I really just need to know a 5-digit, hex (not hexadecimal) number and I can recreate the key. If I have a reading of a fingerprint all I need to do is experiment with fingerprint printing or fingerprint re-forming technology until I get a copy that can pass for the original.

      Even an RSA keyfob, technically, can be copied if I can rip it apart in a manner that lets me read the secret encoded within it. There's no such thing as "something you are" or "something you have" when you're translating it to "something you know" anyway.

    3. Re:Does anyone remember the 3-factor security? by bpkiwi · · Score: 1

      Two of those three factors - the "something you have" and the "something you know" can be changed. You can be issued a new security card, and you can change your password. The third factor - "something you are" can not be changed. This makes it a lot weaker than the other two factors because if at any time in your history it has been stolen, then it is no longer secure and useful - ever again.

      What do you do when your security system requires all three factors, but you already know the "something you are" has been compromised? Let's say it's a staff member with high level security clearance who you know has had their biometrics copied. Do you fire them because they can no longer meet the three factor requirements? or do you just allow them to continue on with two factor? and if the latter, then why did you have the third to begin with?.

    4. Re:Does anyone remember the 3-factor security? by green1 · · Score: 1

      And this is exactly why duresse codes exist. if you can give them a "something you know" that gets help dispatched quickly, without tipping off the bad guys, you're in a lot better position. (and they don't dare kill you until they've verified that the information they extracted from you is accurate)
      Also improvements to the technology authenticating the "something you are" to make copying impossible is a good thing because it forces them to take you to the authentication device, giving you some measure of temporary safety.
      preventing people from using a detached eyeball is easy in several different ways. first of all you can check pupil response or similar to make sure the eye behaves as if it's alive. secondly (and most importantly) you can put the checking device in a supervised place where someone walking up to it with a detached eyeball might attract some attention. this also helps when dealing with coersion/kidnapping issues, and makes even simple attacks like showing a picture to the scanner much more difficult as you now have to have that picture attached to your retina to make it work.
      Biometrics done right are wonderful, biometrics done wrong are our worst nightmare.

    5. Re:Does anyone remember the 3-factor security? by Anonymous Coward · · Score: 0

      Once they have detached your eyeball, you probably won't care about whether or not the device is able to detect the situation.

      In fact, once you see the scalpel up close, I'm sure you'll be thinking that you should have gone for the easy to give up RFID device, rather than the iris scanner.

    6. Re:Does anyone remember the 3-factor security? by green1 · · Score: 1

      The point isn't to stop them before detaching your eyeball, it's to make it pointless for them to bother. If they know that a detached eyeball won't work, why would they detach it? someone could come cut my eyeball out right now, but the lack of any authentication system making use of it means there is no reason to do so. similarly if all authentication devices require a LIVE eyeball, criminals will have no use for a detached one.
      There is no police force, alarm system, or other security force in existence that makes crime impossible. They all just seek to make crime more difficult, or to stop criminals after the fact. The thing is, criminals know this, and the mere existence of these systems prevents large amounts of crime.

  14. "Just eyes" by The+Mister+Purple · · Score: 1

    Somehow, I'm picturing the eye builder from Bladerunner when I think about reverse-engineered irises.

    --
    "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." Feynman
  15. All your iris by seanzig · · Score: 1

    All your iris are belong to us

  16. Biometric identity was never going to work by Anonymous Coward · · Score: 0

    There was only a brief window between the time it became possible and the time it became insecure. Fingerprint sensors have been foolable for years; now iris scanners are broken. Realtime DNA scanners aren't even practical yet, but they won't be feasible and secure for long once they become available, either.

  17. Pattern of uniqueness by jovius · · Score: 2

    The perfect identification system - is there none? Can everything be faked and replicated? In the end what is the most defining characteristics of a person's identity? One can for example create a complete fake identity and mimic a body with the help of non intrusive / intrusive technology. Perhaps the uniqueness comes from the constant flux - the actual logic or pattern of the changes in the person's life and body. Proving an identity completely means that the technology would follow the person anywhere and monitor the changes. How far is it necessary to actually go? The kind of systems can be abandoned once there's enough trust to not need them at all and/or there's nothing to guard.

    1. Re:Pattern of uniqueness by Anonymous Coward · · Score: 0

      I'm not sure, but I have a suspicion that any kind of biometric security can be bypassed.
      I think that once you are able to "measure" some biometric quality like irises, fingerprints, brain patterns, you will also be able to copy these same things and use the result to fool the system.

  18. Well... by Ryanrule · · Score: 1

    ...shit.

  19. Pupil dilation by ian_po · · Score: 2

    Ok, so current systems can be tricked with photographs, and that seem pretty silly. But future versions could record stereo images while altering the illumination of the subject's eye. Properly functioning (attached) human eyes should have irises that dilate with extreme changes to illumination. By masking the subjects eye or eyes from the surrounding environment and changing the illumination levels over time, a complex system could measure pupil dilation characteristics to evaluate if the eye before it is valid and alive. Randomly timed flashes would be hard to predict and might cause predictable blinking in most humans in addition to dilation changes. By using stereo images, the system could also verify the 3 dimensional shape of the changing iris, which would be much harder to fake with pictures.

    Add an infrared camera to mesure eye temperature and faking iris with a screen gets even harder.

    1. Re:Pupil dilation by Maximum+Prophet · · Score: 1

      Yes, these can be improved, but they are trying to be simple, fast, and cheap. When you have 200 people standing in line waiting to get on an airplane, Voight-Kampf'ing everyone is a non-starter.
      Simply going to retinal scans makes fooling the system much harder, but retinal scanning is slower than iris scanning.

      --
      All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
    2. Re:Pupil dilation by The+Mister+Purple · · Score: 2

      When you have 200 people standing in line waiting to get on an airplane, Voight-Kampf'ing everyone is a non-starter.

      And al-Qaeda doesn't even accept replicants as members...

      --
      "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." Feynman
  20. Bad Title/Comments by Anonymous Coward · · Score: 0

    "be sure to install new ones every 90 days" The premise of the post is stupid, the article is fine. The problem is not systemic - it is implementation specific. Claiming that iris scanning is a failed technique is like saying that a 1000 character random password is insecure because it was stored in plain-text or scrambling in a less than keen way. Obviously the problem here is the hashing system being used. If you improve the hashing system then iris' are still FAR better passwords because they contain FAR more information. Just like any other password you shouldn't, I don't know, enter it at a site that you don't think will be secure e.g. Joe Schmoe down the street has an iris scanner for his house, "lets scan your eye"! (this is equivalent to a keylogger). The article isn't debunking iris scanners, its debunking an idiotic claim by a company that their method is good.

  21. what if i have 3 eyes by Anonymous Coward · · Score: 0

    get a extra eye in your head or ten

  22. So some researchers found a vulnerability... by drdread · · Score: 1

    That neeeeeever happens in today's world of OS security, now does it? And what happens when researchers find a vulnerability in a computer system? It usually gets patched pretty quickly.

    This one will not take long to patch. In the "can you tell which is which?" pictures, I picked the synthetic iris with 100% accuracy, in less than 3 seconds of inspection. Yes, I work actively in the biometrics field...but guess what? So do the folks who build these systems. I will hazard a guess that Neurotech (and L-1, and IrsID, and Fujitsu, and...) has a patch out to defeat this is less than a month.

    Then another group of researchers will discover another vulnerability, and the game will continue.

    FWIW, liveness checks are part of lots of biometric systems, especially fingerprint systems. My prediction is that we will see liveness check technology appear in iris systems pretty quick now.

    1. Re:So some researchers found a vulnerability... by Bucky24 · · Score: 1

      Well the problem happens when the researchers that find the vulnerability are working for people who would rather exploit a vulnerability then patch it. Of course you're right in saying that no system is without it's flaws (at least I think that's what you're saying).

      --
      All the world's a CPU, and all the men and women merely AI agents
  23. Seems like a bad implementation to me by ggendel · · Score: 2

    I worked on early iris recognition software and we had already worked through this scenario way back then. If the scanner was worth it's salt, it would be doing what we did years ago...

    1) Verify that the eye reacts to changing light conditions... Pupils should contract or dilate when required.
    2) Verify that the eye isn't flat (i.e. a picture). Proper specularity orientation from changing light sources (we used infrared) to identify the curvature.
    3) Glowing pupil under infrared, dark with different lighting.

    I'm sure there were a number of other things we did, but it has been awhile. Bottom line is that we only used a representative frame from a video sequence for the iris coding; we used the sequence to verify that what we had was not a picture, a contact lens imprinted with an iris pattern, even a live person (not a corpse).

    When I left that project, we were able to do iris recognition at a significant distance even if the subject was walking fast using high speed, high resolution video capture.

    1. Re:Seems like a bad implementation to me by manu0601 · · Score: 1

      Please mod parent up, it is insightful.

  24. Simple fix by wirehead_rick · · Score: 1

    All biometrics can be fooled if the biometric sensor system alone is all you are using for the security.

    Biometrics only uniquely identifies a person. You still need another person (security guard, for example) or technology (detect a live human being and/or a real eye) to verify it is a person that provides the biometric input. This is to prove an actual person is there.

    Until someone switches eyes out (improbable) or finds a way to implant the iris image of another individuals eye within their own eye (improbable) a security person can verify an eye is actually being scanned by the biometric scanner. Add an independent security feature (ID, password, etc.) and it's a pretty darn good security system.

    --
    -- Mean People Suck
  25. I wear my sun glasses at night by Anonymous Coward · · Score: 0

    so I can
    so I can
    keep my identity safe

  26. Biometrics must be monitored by Anonymous Coward · · Score: 0

    When biometrics are used, there should always be someone there to monitor the person, ie. guard.

  27. Old joke by Anonymous Coward · · Score: 0

    Your data has been compromised. We have sent you a new finger. Failure to attach immediately releases us from any legal obligations.
    Have a nice day.

  28. used these machines in probation by jsh1972 · · Score: 2

    the eye scanners they had there measured iris geometry and pupil size and response. They were easily spoofed with psychoactive substances, because calibrated from a baseline measurements. If you could make the the baseline wasn't really baseline, subsequent tests would look a-ok