Can Iris-Scanning ID Systems Tell the Difference Between a Live and Dead Eye?

the_newsbeagle writes: Iris scanning is increasingly being used for biometric identification because it's fast, accurate, and relies on a body part that's protected and doesn't change over time. You may have seen such systems at a border crossing recently or at a high-security facility, and the Indian government is currently collecting iris scans from all its 1.2 billion citizens to enroll them in a national ID system. But such scanners can sometimes be spoofed by a high-quality paper printout or an image stuck on a contact lens.

Now, new research has shown that post-mortem eyes can be used for biometric identification for hours or days after death, despite the decay that occurs. This means an eye could theoretically be plucked from someone's head and presented to an iris scanner. The same researcher who conducted that post-mortem study is also looking for solutions, and is working on iris scanners that can detect the "liveness" of an eye. His best method so far relies on the unique way each person's pupil responds to a flash of light, although he notes some problems with this approach.

great

now we will have thieves that hook our eyes up to some kind of biostimulus circuits

Re: great

This question is entirely uninteresting to me. A multidimensional electromagnetic wave pattern interacts with a sensor that quantizes it into information that is fed into a system that derives a determination from it. Since there are no physical limitations to spoofing the pattern there are no foolproof iris scanners. NEXT, please!

Re: great

I think you're right that there are physical limitations here. As you note, the eye reacts to external stimuli, so even if the scan of a dead eye appears similar, it won't respond to things that trigger reflexes, either to close the eye or to contract or dilate the pupil. If those don't work, however, it's probably possible to 3D print an eyeball that would match an existing eye and fool a sensor. I've heard of 3D printing other tissues, so it's likely possible to 3D print an eyeball.

Re: great

by "multidimensional electromagnetic" did you mean 3, or more than Maxwell envisioned?

Uhm.... easy fix

Combine with retina scanning but ignore the pattern and simply watch for a pulse. Dead eyes have no pulse. Paper eyes have no pulse. Combine with a flash of light to alter pupil size for contact lens detection.

BTW I'm going to invest in Luxottica, their stock will be going up soon.

Re:Uhm.... easy fix

Add a pulse type pump to one of the dead eyes blood vessels and you've got that problem licked. A better way would be a light flash and watch for iris movement.

Re: Uhm.... easy fix

Mmm ... No! The only right fix is to treat the biometric as user ID only. And still ask them for password/2nd component which isn't biometric

Re:Uhm.... easy fix

[ShanghaiBill]

India's PDS entitles a citizen to a kg of rice and a liter of kerosene every month. How much trouble will people go through to cheat at that? Also, the iris scanning is monitored, so someone may notice if you hold up someone else's eyeballs instead of facing the scanner. For bigger transactions, the iris scan is just one factor: you also need to present an ID and/or enter a password or PIN.

Re:Uhm.... easy fix

[vasanth]

well it's not ppl cheating but pilferage in the supply chain that has traditionally been very difficult to control.. ppl at present have multiple ID (pan number - a tax id) to dodge taxes etc, this new system would mean that a person can only obtain one ID as a match in finger print or iris will cause the 2nd id not to be issued and the PDS system would need to authenticate the user for each transaction before any benefits are given meaning it is a lot more difficult for intermediaries to just siphon off 50% of the product and just make fake entries in the book claiming they were disbursed as intended...

Do not look into laser with remaining eye

[guruevi]

A pupil's response can be imitated with a video in response to the flash. I work with several types of eye trackers fairly frequently, the eye is relatively slow in responding to stimuli, it's definitely within the realm of a cell phone to play back the image of an eye and it's iris in response, in time to one of these flashes.

The problem with biometric is that it is considered the end-all of security system whereas it should be considered only part of something (who you are, what you know, ...)

Re:Do not look into laser with remaining eye

it's means it is.

Re:Do not look into laser with remaining eye

biometric is that it is considered the end-all of security system

I have never understood why people think this is the case. It doesn't take a genius to realize that there are a number of ways to get this data, most of which are highly unpleasant, assuming you survive it.

Plus, if it's compromised once from an appropriately insecure and high-resolution source (e.g. someone takes a picture of your eye in high detail), you're pretty much compromised for life. Some people would say this will never happen, but considering some of the dumbass mistakes that have made security holes possible, I sincerely doubt that.

Re:Do not look into laser with remaining eye

The problem with biometric is that it is considered the end-all of security system whereas it should be considered only part of something (who you are, what you know, ...)

No. The problem with biometrics is that it builds upon faulty assumptions and fails to address real concerns.

Somebody fakes my eyescan successfuly once, it loses all future use to me and now I have to scoop out an eye, perhaps replace it with a glass one with some famous person's fake eyescan patterns, to have some use out of it again. But wait, I'd rather keep the eye to see with.

The logical conclusion is that I don't want my eyes, not even one, be used as a security in this sort of gamble. That means you do not get to scan my eyes, ever, making the idea strictly useless for security, aaa, or whatever else you want to do with it, but instead outright dangerous for my valuable body parts.

Biometrics is only "hollywood security", where usernames, including the crappy and noisy biometric ones, are taken to be as good as passwords, and "security override" is all you need to get past any hurdle anyway. In the real world, security doesn't magically improve just because we bend over backwards for some camera looking into our eyes. Any biometric is more easily faked than replaced, and that makes them useless for the end-user, in fact outright dangerous to limb, possibly life, because it makes the end-user expendable.

That means there is only one correct answer to any biometric-anything idea: FUCK OFF with your biometrics, whatever idea you have this week. FUCK OFF ALREADY.

Re:Do not look into laser with remaining eye

Biometric should only be used to identify people accompanied by security persons who can determine of the biometric object being scanned it real or fake. This will require checks to see if the person is wearing contacts or an extra layer of skin, etc. This also requires the security person to immobilise the person who is being scanned to make sure slide-of-hand is not in play.

Biometric scanners without security are useless, since the biometric object can easily be harvested in public areas.

Re:Do not look into laser with remaining eye

I agree biometrics should be part of a 2FA scheme.

With the iris scanning, how about getting the person to follow a small dot around the scanner with their eye and an iris tracker can confirm it's doing so.

Re:Do not look into laser with remaining eye

[arth1]

With the iris scanning, how about getting the person to follow a small dot around the scanner with their eye and an iris tracker can confirm it's doing so.

Any security solution that depends on technology can also be defeated by technology.

In this case, you would have to have a system for tracking the eye, which would be defeated by a system for tracking the dot. Plus, you'd need guards against feeding the system wrong data at multiple points, or bypassing the tracking altogether. You'd multiply complexities unnecessarily, and only end up with another system to keep honest people honest.

Executives[*] who base their "knowledge" on Hollywood movies and detective stories are to blame for big business buying into biometrics for authentication. It's the worst thinkable system possible, because once you have defeated it, you have defeated a living human person, who cannot change his compromised biometrics.

The implementations fly in the face of ADA and similar measures too, directly discriminating against people who cannot use the systems. Some don't have fingerprints. Others cannot stand and look into the iris scanner. Or don't have eyes to look into them with. So you must have a backup system anyhow. That prompts the question: If the backup system is trustworthy, why not use it instead?

[*]: And unfortunately not just business execs. As late as last week, a police superintendent was quoted in a big newspaper saying that DNA evidence is 100% trustworthy and (I kid you not) we should never question it. The newspaper didn't even question that statement or ask an expert for opinion.

Re:Do not look into laser with remaining eye

[JaredOfEuropa]

Somebody fakes my eyescan successfuly once, it loses all future use to me

That's the real kicker. Imagine a password written on a yellow sticky, kept in your wallet. A password that is thus easily stolen, lost or duplicated. Now imagine that you cannot change that password, ever.

Re:Do not look into laser with remaining eye

[SNRatio]

Er, no. Iris or retina scan and most other biometrics are and will continue to be useful: for identifying people in the flesh. Unless you are willing to remove your eyeball and replace it with a replica of someone else's you won't be fooling the security guard at the door.

Re:Do not look into laser with remaining eye

It only requires someone who's already lost an eye to do a succesful impersonation. Or someone who knows how to make contact lenses that fool eye scanning equipment, or some other contraption. You can already get custom contact lenses, so working out how to fool this expensive machinery is but a small step. But no matter, for however it gets done, the effect is the same: The impersonation removes all future "safe" use from my eye, leaving me bereft one usable credential, and sticking me with a burned one I would otherwise be unwilling to lose.

I now walk around with a burned credential, forever marking me tainted because it's been abused once. I'll be lucky if at every scan a marker pops up "victim of impersonation!", but more likely there'll be something along the lines of "WARNING WARNING DOUBLE CHECK ABUSED CREDENTIAL SSSS GET THE GLOVES WARNING WARNING", for every important-ish check, for the rest of my life. For something someone else did, not even me.

So the error in your thoughts is believing this mechanism beneficial to security, when it does in fact do quite the opposite. It makes legitimate actors within the system vulnerable to attacks that leave them bereft and stuck, with redress made impossible, thus making the legitimate actors effectively expendable.

This is the sticking point and you have not refuted it. You have only reiterated the kool-aid you drank, and so apparently you are okay with the consequences. The fundamental problem is that biometrics are nothing more than a "let's make hollywood real!" circle jerk. You always run into the expendability problem, and you cannot fix it. Because you thought that irreplacability of credentials was a good idea. Guess what, it isn't.

Oh, and another thing: Why is it too hard for that guard at the door to compare, say, a picture on a card, with the person holding it up? If he's there he might as well make himself useful. The reality will again be that there will be plenty of deployments of biometric scanners without any such guard, because why else do we have all this wonderful technology, and then the impersonator suddenly has all the leeway he needs. Thus biometrics are not suitable for "casual" deployment, and where it isn't casual, it's still only a security theatrical gimmick.

Re: Do not look into laser with remaining eye

"For something someone else did" and thus John Conner was born.

Re:Do not look into laser with remaining eye

be useful: for identifying people in the flesh

And that's the core lie. The notion of self-identity is an abstraction of dealing with the mind and the flesh over the course of a lifetime. And the quest of others to identify you are, in the end, the path to tyranny. It is one of the core reasons that the 4th Amendment was construction to include "papers" as one of the provisions, as papers were a major use of identification and still are. The government nor really anyone has a right to demand you identify yourself. Now, yes, this does lead to the point that others can choose to ignore you. And it's a sticky point on how exactly the IRS can reasonably do its job when it comes to tax collection. But the 4th Amendment speaks of "unreasonably search and seizure" which would imply some obvious latitude.

In any case, the core point is that a large part of modern society is allowing people to change their identity over time. Be it their name, their occupation, their marital status, etc. It is in many ways the core of what is the American Dream: that one is not fixed at birth to a single destiny with no control and with a government (or equivalent corporation) that dictates to you who you are.

fooling the security guard at the door.

What security guard? Beyond that, uh, ever seen Barb Wire*? As the other poster mentioned, contact lens or just missing an eye gives you free reign to circumvent this security. In the end, all an iris scanner can tell you is "yes, I sense a certain pattern". That we conflate that with identity is just as absurd as thinking all "John Smith" on the No-Fly-List must be a terrorist--even if it's much easier to be a John Smith than to provide the same iris scan..

*Actually, I didn't watch it except for like 1 minute while flipping through the channels. And oddly enough, it showed the whole "fake iris scan with a contact lens" thing in an airport (IIRC). "There isn't a test that's been created a smart man can't find his way around." One of the best DS9 episodes, IMO.

Re:Do not look into laser with remaining eye

[SNRatio]

just missing an eye gives you free reign to circumvent this security.

"Just"???

You first.

contact lens

So add a measure of interpupillary distance. Are you up for having your skull cracked in two and then widened or narrowed so that your IPD matches too? Also: retina scans. Unless they have some pretty amazing holographic properties, contact lenses won't fool a retina scan.

Re:Do not look into laser with remaining eye

"Just"??? You first.

In a world that was dependent on such foolishness, the one-eyed man would be king. It would not take a person to intentionally lose an eye.

So add a measure of interpupillary distance. Are you up for having your skull cracked in two and then widened or narrowed so that your IPD matches too?

Because obviously one couldn't project a different distance on the surface on a contact lens as required.

Also: retina scans. Unless they have some pretty amazing holographic properties, contact lenses won't fool a retina scan.

You're like Donald Trump. Propose a wall of 30 feet and say how impassible it would be...unless you had a 31 foot ladder and a rope. In the end, a retina scan may be "good enough" for many applications. But if it becomes common, you'll "have some pretty amazing holographic" contact lenses for sure. The same for if there's a juicy enough target and government money involved.

Yet, in the end, to pretend that this unchangeable property of the common person should be relied upon is absurd. Because, in the end, it will result in common people HAVING to use "some pretty amazing holographic" contact lens just to go about their daily lives as their retina scans are stolen and used. That is the absurdity.

Re:Do not look into laser with remaining eye

That prompts the question:

Thank you!

Re:Do not look into laser with remaining eye

That means there is only one correct answer to any biometric-anything idea: FUCK OFF with your biometrics, whatever idea you have this week. FUCK OFF ALREAD

That is exactly why the NSA and TSA will adopt this in time for border crossing and international travel. You think you can keep their fingers out of your anus? You would like to think so, but not so fast.. they can do whatever they want.

Demolition Man

Demolition Man did it

Re:Demolition Man

I used to think that Sylvester Stallone was a bit of a moron with that "Yo Adrian" voice and the way he plays simple people. Nowadays, I think he's Nostradamus reincarnated to have a second chance to warn people. Slystradamus was close on the microchipping, though the microchipping of pets is probably just a test run before it is tried nationwide on humans.

Re:Demolition Man

Strictly speaking, it was Simon Phoenix:

Eyeball

Re:Demolition Man

Oh cocks.

If you wanted to see the eyeball scene, here it is this time, instead of the wrong link I posted before.

Really the eyeball scene this time

I don't have any dead eyes

[fustakrakich]

But one of them is kinda lazy. Will that make a difference?

Well, DUH

[93+Escort+Wagon]

"Now, new research has shown that post-mortem eyes can be used for biometric identification for hours or days after death"

Sheesh, I saw this on an episode of La Femme Nikita probably a decade or so ago. I could've lent them the DVD, if they'd asked.

Re: Well, DUH

And the minority report movie, remember that?

biometric identification insecure by nature

[sittingnut]

biometric identification and verification is insecure by its very nature.
whole concept derives from faulty assumption that identity of a person is securely linked his/her body parts. obviously body parts can be separated from true identity by variety of means ranging from death, amputation, kidnapping and coercion, replication , etc etc.
other forms of identification and verification based on links to individual's mind and memory, while far from perfect, is more secure.
even simple forms of that, like passwords, can defeat insecurities created by death, amputation, some coercion, etc etc.

all rational knowledgeable people should counter absurd biometric identification hype.

Re: biometric identification insecure by nature

I figured biometric was for people who kept forgetting passwords or losing key fobs. Until they get DNA sequence realtime at least then you'll just have to handle twins and triplets special case.

Re:biometric identification insecure by nature

[ET3D]

It's far from perfect, but still much more secure than insecure passwords, which are what we commonly have. It's a lot easier to get passwords (as proved by the many millions of them available online) than to get the biometric identifiers.

Re:biometric identification insecure by nature

bullshit. The only way it's more secure than passwords is if you have an in person security guard right there. It's a lot easier to get your fingreprints than your password if I'm targeting you, and biometrics fall victim to every attack on stupid american credit cards.

Re:biometric identification insecure by nature

[Misagon]

The biggest fallacy of using biometrics for security is that biometric codes can not be changed.
Once a biometric code has been cracked then that code is useless forever and you are stuck with it. If a protected resource requires e.g. an iris or finger print but that print is revoked, then you can never use that authentication mechanism every again.
If someone successfully guesses your password (or encryption key) then you can rescind it and use another.

Another fallacy is that it is actually not difficult to get hold of biometric keys. Irises can be read at a distance now. You put your fingerprints on everything you touch. Face recognition can be foiled by a mask, etc.

This validates how many cheesy movies?

[mykepredko]

Yet another case of popular media predicting actual science.

Seriously, I think there was at least one James Bond ("Never Say Never"?) with this theme as well as one in which eyes were carried around in plastic baggies to break security. I think the big part of this was the "ick" factor to create audience buzz.

Re:This validates how many cheesy movies?

[rainer_d]

Minority Report is 2002. Demolition Man is 1993: https://www.youtube.com/watch?...
Never Say Never Again is from 1983, but in it, somebody has his Iris altered to match the President's one: https://en.wikipedia.org/wiki/...

Re:This validates how many cheesy movies?

[mykepredko]

Thank you for the references.

Comment Deleted

Comment Deleted: Because this post violates the SlashdotMedia terms of use, the contents of this post have been deleted. However, this message is left as a placeholder in order to preserve any replies to the post.

Re: Comment Deleted

Huh? So the mods are now silencing users?

Re:Comment Deleted

Comment Deleted: Because this post violates the SlashdotMedia terms of use, the contents of this post have been deleted. However, this message is left as a placeholder in order to preserve any replies to the post.

Censorship is a beautiful thing for every eye to behold.

Re:Comment Deleted

Comment Deleted: Because this post violates the SlashdotMedia terms of use, the contents of this post have been deleted. Insulting moderators will not be tolerated. However, this message is left as a placeholder in order to preserve any replies to the post.

Free Speech belongs only to the mouths of the powerful elite, and the undying supremacy of The New Oligarchs of SlashdotMedia may not be questioned under any circumstances.

Re:Comment Deleted

[Barny]

You consider /. to be part of the government? Hot dang are you trying to inflate their ego?

Re:Comment Deleted

I hope I'm inflating the ego of a false-flag troll and Comment Deleted isn't for real.

Re:Comment Deleted

[Calydor]

This is where I'm curious, was this a tongue-in-cheek bit of humor or was this post actually deleted?

Re:Comment Deleted

[ecotax]

I'm curious too. I guess we'll have to wait and see if this is going to happen more often. Unless you feel like experimenting by posting messages that would qualify for the same treatment, of course. Personally, I don't.

Re:Comment Deleted

[Ol+Olsoc]

I'm curious too. I guess we'll have to wait and see if this is going to happen more often. Unless you feel like experimenting by posting messages that would qualify for the same treatment, of course. Personally, I don't.

Posts don't get deleted, they get modded up or down.

Some anonymous cowards get much butthurt when anyone disagrees, so they make up this censorship meme.

That being said, when the cowards go on one of their weird psychosexual or ridiculously offtopic binges, we have the ability to set the topic settings so we don't see the stuff. That also causes much butthurt.

Re: Comment Deleted

[BarbaraHudson]

YHBT. Also, at the time of the supposed deletion, there was no thread to delete. And who would even notice, never mind care, if an AC comment was deleted anyway. Too bad there is no option to both browse at -1 and to not display AC comments.

Re: Comment Deleted

[Calydor]

And who would even notice, never mind care, if an AC comment was deleted anyway.

Elitist much?

First of all, anyone that appreciates Slashdot's history of never deleting comments (except that one about Scientology they received a court order to remove, AFAIR) would care.

Secondly, are you seriously saying that all anonymous comments ever are worthless? Really?

Re: Comment Deleted

[BarbaraHudson]

It's not elitist to choose what you want to see and what you don't. Can't be arsed to log in or take credit for what you say, then why should I be arsed to read it? That is the exact opposite of elitist, since ANYONE can have an account, so quit trying to reframe the question to something totally bogus.

Are all AC comments worthless? Maybe not - but there's too much NOISE and not enough SIGNAL. The option to hide AC comments would be a huge improvement just in eliminating troll scripts.

Somebody sold India a LOT of hardware

[Tony+Isaac]

India is going to find out that iris scanning suffers from all of the same issues as any other biometric scanning device. ALL of them have to turn the scan into a digital representation, which is then used to authenticate or verify identity. The weak point int he process is between the device and the computer. Since that digital representation can be copied and replicated, it is no more secure than any other identification system. It's actually less secure, because it's considered the user name AND password. Any biometric system really needs a second factor, a password, to go with it.

Re:Somebody sold India a LOT of hardware

Also it can't be revoked. When there's a contact lens of your iris in the wild, it can't be flagged invalid and a new iris issued.

Re:Somebody sold India a LOT of hardware

[vasanth]

well the AADHAAR system you are talking about has multiple levels of authentication which include iris, fingerprint, OTP to your mobile and password.. and the system does not give out any of these information, any one can use the system to authenticate by the means they deem fit by submitting the authentication details to the AADHAAR service and it will get back with only a TRUE/FALSE response and nothing else.. so as a service provider you can decide the level of authentication required, a bank might decide to use IRIS+PIN where as a liquor shop is just happy to verify your age against your fingerprint.

First...

[Archfeld]

First they took our jobs, then they took our thumbs, now they are gonna take our eyeballs. When will it end ??

Re:First...

[Locke2005]

Well, if you weren't just sitting around with your thumbs up you butts in the first place, they wouldn't have taken your thumbs! Personally, I'd rather not use biometrics, precisely because of the damage to my body that someone seeking to steal my identity would do.

Re:First...

Woooosh, strike one for reading comprehension.

Comment Deleted

Comment Deleted: Because this post violates the SlashdotMedia terms of use, the contents of this post have been deleted. Insulting moderators will not be tolerated. However, this message is left as a placeholder in order to preserve any replies to the post.

Been there. Done That

[fahrbot-bot]

This means an eye could theoretically be plucked from someone's head and presented to an iris scanner.

Minority Report - duh.

Dead Detection Is Easy

The eye will be cold. Use a camera that is sensitive to heat.

Re:Dead Detection Is Easy

Just head the eye with a blow torch as you hold it in front of the camera.

FOR A GAY UNIVERSE

 

STICK YOUR HAND INTO THE HOLY ASSHOLE

 

and before that..

Demolition Man

https://www.youtube.com/watch?v=CbM--4-z0cs

Don't use proto-matter

[ChadSmith4920]

you've got Genesis, but you don't have me!

Iris Scan is just data.

An Iris scan is just data and you do not need an eye to spoof data. You just need to trick the system that the data came from a valid iris scanner. Biometric scanners are a bad bad idea as once your identity data is spoofed, your identity is permanently stolen.

Re:Iris Scan is just data.

Exactly. Biometrics are used because it is just so convenient and cost effective, not because of security reasons. "Doesn't change over time" means companies don't need the tech support anymore as there will be no requests to restore passwords their customers don't remember. What they don't recognize they still need personnel for verifying the "old school data integrity": verify the data is coming directly from the real person's real eye etc.

It doesn't matter

[Casandro]

You can always take an image of a dead iris scan, manipulate it, and feed that to the camera.

The same problem with all biometrics

[Macdude]

Iris scanning suffers from the same fatal flaw that every other type of biometric scanning suffers from. What do you do when my iris scan is compromised? How are you going to issue me a new iris identification?

Eat healthy and change your iris

There are loads of people out there that are making massive changes to their eyes (including to some degree color) just by eating a raw food diet. How valid is this as a security measure if the iris can change so drastically depending on how clean someone eats? What about the field of iridology and the changes that happen to the iris as health issues crop up? Seems to me that doing retina scans would be a bit more reliable as a security measure, and as an extra security measure the scanner could check pupillary responses to light. A dead eye could never change how dilated the pupil is.

poorly researched article

"body part that's protected and doesn't change over time" that's be apart from the 20+ illnesses that affect the iris or the fact that a mere knock to the head can also effect a change in the iris like heterochromia iridum.

My patenter method

is to detect whether or not there is a fork stemming below the eye being scanned

So far this detection method works 100%

Serious issues already

"Can Iris-Scanning ID Systems Tell the Difference Between a Live and Dead Eye?"

We shouldn't be even asking this question. It should be clear by now that person identification should be a process: verify the ID is coming from the person. Otherwise it will be just ID data and data to duplicate/manipulate/steal.

"...relies on a body part that's protected and doesn't change over time"

This will be a serious issue if there is no process to check the source of the ID data (coming from the person's eye). This means there will be identity thefts and it will be "just a password" just like other ID methods (but it can't be changed).

Film

If Hollywood has taught me anything, it is that iris scanners can be fooled by a dead eye, just as fingerprint scans can accept severed digits.

For now.

Availability is directly tied to use. We have already got databases of passwords attached to every website that has a login so most break-ins will have a chance to make a copy, if fingerprints iris scans or something else biometric got used in the same way then this would be true of them too, but now you cant change them.

Biometric identification is a shared password you can never change, and shared passwords are the most insecure of all. Of course you can mitigate against this in physical situations, if you have a security guard, but this mitigation is partial and depends on your system being designed to make bypass attempts obvious. This means that except in the most extreme cases of belt and braces security just an iris scan or equivalent is worse than just a key-card even without a pin!

palm vien

[markdavis]

>"Iris scanning is increasingly being used for biometric identification because it's fast, accurate, and relies on a body part that's protected and doesn't change over time. "

Not really. It is a rather stupid biometric, especially when something exists that is far better in just about every way....

There is only one safer and practical biometric I know of- that is deep vein palm scan. That registration data cannot be readily abused. It can't be latently collected like DNA, fingerprints, and face recognition can (and possibly iris scans). You have to know you are registering/enrolling when it happens. You don't leave evidence of it all over the place. When you go to use it, you know you are using it every time. And on top of all that, it is accurate, fast, reliable, unchanging, live-sensing, and cheap. If you must participate in a biometric, this is the one you should insist on using.

Example: http://www.m2sys.com/palm-vein...

But we also need to realize that IT IS NOT EVERYONE'S BUSINESS WHAT WE ALL DO, where we go, what we buy, who we talk with, WHO WE ARE. The first step in securing freedom is privacy and often means anonymity. When you are identified and tracked, you are losing your freedom, whether you realize it or not.

Re:palm vien

[Locke2005]

Actually, eyes do change over time. My contacts weren't letting in enough oxygen, so blood vessels grew into my eyes. Not sure how much that would affect an iris scan, though.

So soon they forget

[ggendel]

As someone that was part of the team that pioneered iris recognition in the late 80s, I can say that this is totally the fault of the current software. We had various techniques implemented from the start that would prevent this kind of problem. Controlling multiple IR leds to provide a changing specularity pattern. This would guarantee that the eye was shaped as expected, rejecting all flat copies. Checking for the normal pulsation of the pupil would reject dead eyes. There were various other checks, like verification of facial features (there were two eyes, etc.). Checking for the proper occlusion of the eyelids was also part of the process. With only a few captures our testing has not shown this kind of issue (and we did try perfect eye replication). I've heard this kind of thing from the beginning, nothing new here. Again, we implemented all of these features in our original work, but implementors felt that these should not be included in their products.

Re:So soon they forget

Someone must have implemented and continued to improve upon your team's initial work, which vendors are those, then? I'd imagine their systems are expensive and defense-market-oriented, but there's no way someone could have ignored all that initial work your team did.

Doesn't stop them from trying

[burgundy]

It'll be a great reassurance to the bank to know that the bad guys can't get into the vault by holding up an eyeball they've "liberated" from the bank manager. However, it'll be little comfort to the now eyeless bank manager if the bad guys haven't kept themselves abreast of the developments in dead eye detection, or if they decide to give it a go anyway. If some bit of your anatomy holds the biometric keys to something of value, then in addition to all the other problems that get mentioned about biometrics, you're counting on every lunatic out there with a sharpened spoon or a pair of garden shears knowing that it's pointless to scoop out your eye or lop off your thumb. Not very reassuring.

Trump 2016

Make America less fucked up again.

Can't they check for blinking?

I mean, this is tech we are talking about. It can't be that difficult.

Re:Can't they check for blinking?

[Locke2005]

You weigh the costs of false positives vs. false negatives, and you're going to accept the false positives every time. Otherwise, some CEO get pissed off because the system won't let him in, and the whole system gets yanked out. So, short answer, no, they can't check for blinking, it adds yet another failure mode,

Re:Can't they check for blinking?

Wait, we are only checking for blinking to validate how human that person is. it can't be more complicated than a fingerprint with an order of magnitude more difficult FRR.

constructing dead guys finger

[peter303]

There was story this week about the police approaching a 3d printing prothestics expert to reconstruct the fingers of a dead guy to unlock an iPhone. They tried the fingerprint image which didnt work.

Minority report did it twice

[peter303]

First Cruise has an eye transplant to avoid discovery. Second he gives his ex-wife his original eye to break him out of prision-stasis.

No surprise here

[Locke2005]

Having seen the movie Demolition Man, I've always been opposed to biometrics in the first place. My body parts are more important to me than my data!

Fuck biometric scanning

Fuck biometric scanning. We've gotten along without it for thousands of years. We deserve what little bit of anonymity that we have left. Why do we keep sacrificing privacy for convenience, especially to government entities. It's all so fucked. I hope US citizens won't let the government pull shit like this. It should be illegal.

denis leary was the real prophet...

The world he often ranted about hating is fast becoming the reality, he identified SJW's before they were even coined, the nanny state the country has become, ect...

Yes, the tech already exists...

[dublin]

The answer is yes. The technology to detect the difference has been around for over a decade, but it's not in any iris scanner for security that I'm aware of.

My Mom and Dad (yes, both of them, this one was actually Mom's idea), hold a patent on a method for using a laser and optical system to measure a bunch of things about the eyeball, including intraocular pressure. It's sensitive enough to not only measure the internal eyeball pressure, but you can very easily see the pulse, and with a bit of clever math, it's even possible to use it to generate a non-contact blood pressure measurement.

So, in short, It's certainly possible to tell the difference between a live eyeball and a dead one in ways that are pretty difficult, and certainly cumbersome, to fake, if you care enough to do so. Combining this with some other methods could easily result in a very accurate system that would also be very hard to spoof...

Change over time.. it does

[MercTech]

Hmmm, the article ignores the fact that a retinal scan is changed by cataracts, glaucoma, log term diabetes, retinal detachment, macular holes, macular degeneration, or massive beta radiation exposure.

    I wonder if using IR laser scan instead of red laser scan as the first generation of the tech did would sense living tissue based on temperature?