Slashdot Mirror
Can Iris-Scanning ID Systems Tell the Difference Between a Live and Dead Eye? (ieee.org)
the_newsbeagle writes: Iris scanning is increasingly being used for biometric identification because it's fast, accurate, and relies on a body part that's protected and doesn't change over time. You may have seen such systems at a border crossing recently or at a high-security facility, and the Indian government is currently collecting iris scans from all its 1.2 billion citizens to enroll them in a national ID system. But such scanners can sometimes be spoofed by a high-quality paper printout or an image stuck on a contact lens.
Now, new research has shown that post-mortem eyes can be used for biometric identification for hours or days after death, despite the decay that occurs. This means an eye could theoretically be plucked from someone's head and presented to an iris scanner. The same researcher who conducted that post-mortem study is also looking for solutions, and is working on iris scanners that can detect the "liveness" of an eye. His best method so far relies on the unique way each person's pupil responds to a flash of light, although he notes some problems with this approach.
Now, new research has shown that post-mortem eyes can be used for biometric identification for hours or days after death, despite the decay that occurs. This means an eye could theoretically be plucked from someone's head and presented to an iris scanner. The same researcher who conducted that post-mortem study is also looking for solutions, and is working on iris scanners that can detect the "liveness" of an eye. His best method so far relies on the unique way each person's pupil responds to a flash of light, although he notes some problems with this approach.
A pupil's response can be imitated with a video in response to the flash. I work with several types of eye trackers fairly frequently, the eye is relatively slow in responding to stimuli, it's definitely within the realm of a cell phone to play back the image of an eye and it's iris in response, in time to one of these flashes.
The problem with biometric is that it is considered the end-all of security system whereas it should be considered only part of something (who you are, what you know, ...)
Custom electronics and digital signage for your business: www.evcircuits.com
Demolition Man did it
But one of them is kinda lazy. Will that make a difference?
“He’s not deformed, he’s just drunk!”
biometric identification and verification is insecure by its very nature.
whole concept derives from faulty assumption that identity of a person is securely linked his/her body parts. obviously body parts can be separated from true identity by variety of means ranging from death, amputation, kidnapping and coercion, replication , etc etc.
other forms of identification and verification based on links to individual's mind and memory, while far from perfect, is more secure.
even simple forms of that, like passwords, can defeat insecurities created by death, amputation, some coercion, etc etc.
all rational knowledgeable people should counter absurd biometric identification hype.
Yet another case of popular media predicting actual science.
Seriously, I think there was at least one James Bond ("Never Say Never"?) with this theme as well as one in which eyes were carried around in plastic baggies to break security. I think the big part of this was the "ick" factor to create audience buzz.
Mimetics Inc. Twitter
India is going to find out that iris scanning suffers from all of the same issues as any other biometric scanning device. ALL of them have to turn the scan into a digital representation, which is then used to authenticate or verify identity. The weak point int he process is between the device and the computer. Since that digital representation can be copied and replicated, it is no more secure than any other identification system. It's actually less secure, because it's considered the user name AND password. Any biometric system really needs a second factor, a password, to go with it.
First they took our jobs, then they took our thumbs, now they are gonna take our eyeballs. When will it end ??
errr....umm...*whooosh* *whoosh* Is this thing on ?
This means an eye could theoretically be plucked from someone's head and presented to an iris scanner.
Minority Report - duh.
It must have been something you assimilated. . . .
India's PDS entitles a citizen to a kg of rice and a liter of kerosene every month. How much trouble will people go through to cheat at that? Also, the iris scanning is monitored, so someone may notice if you hold up someone else's eyeballs instead of facing the scanner. For bigger transactions, the iris scan is just one factor: you also need to present an ID and/or enter a password or PIN.
You consider /. to be part of the government? Hot dang are you trying to inflate their ego?
...
you've got Genesis, but you don't have me!
This is where I'm curious, was this a tongue-in-cheek bit of humor or was this post actually deleted?
-=This sig has nothing to do with my comment. Move along now=-
You can always take an image of a dead iris scan, manipulate it, and feed that to the camera.
Iris scanning suffers from the same fatal flaw that every other type of biometric scanning suffers from. What do you do when my iris scan is compromised? How are you going to issue me a new iris identification?
"Grab them by the pussy" -- President of the United States of America
Availability is directly tied to use. We have already got databases of passwords attached to every website that has a login so most break-ins will have a chance to make a copy, if fingerprints iris scans or something else biometric got used in the same way then this would be true of them too, but now you cant change them.
Biometric identification is a shared password you can never change, and shared passwords are the most insecure of all. Of course you can mitigate against this in physical situations, if you have a security guard, but this mitigation is partial and depends on your system being designed to make bypass attempts obvious. This means that except in the most extreme cases of belt and braces security just an iris scan or equivalent is worse than just a key-card even without a pin!
well it's not ppl cheating but pilferage in the supply chain that has traditionally been very difficult to control.. ppl at present have multiple ID (pan number - a tax id) to dodge taxes etc, this new system would mean that a person can only obtain one ID as a match in finger print or iris will cause the 2nd id not to be issued and the PDS system would need to authenticate the user for each transaction before any benefits are given meaning it is a lot more difficult for intermediaries to just siphon off 50% of the product and just make fake entries in the book claiming they were disbursed as intended...
I'm curious too. I guess we'll have to wait and see if this is going to happen more often. Unless you feel like experimenting by posting messages that would qualify for the same treatment, of course. Personally, I don't.
"Money is a sign of poverty." - Iain Banks
I'm curious too. I guess we'll have to wait and see if this is going to happen more often. Unless you feel like experimenting by posting messages that would qualify for the same treatment, of course. Personally, I don't.
Posts don't get deleted, they get modded up or down.
Some anonymous cowards get much butthurt when anyone disagrees, so they make up this censorship meme.
That being said, when the cowards go on one of their weird psychosexual or ridiculously offtopic binges, we have the ability to set the topic settings so we don't see the stuff. That also causes much butthurt.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
YHBT. Also, at the time of the supposed deletion, there was no thread to delete. And who would even notice, never mind care, if an AC comment was deleted anyway. Too bad there is no option to both browse at -1 and to not display AC comments.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
>"Iris scanning is increasingly being used for biometric identification because it's fast, accurate, and relies on a body part that's protected and doesn't change over time. "
Not really. It is a rather stupid biometric, especially when something exists that is far better in just about every way....
There is only one safer and practical biometric I know of- that is deep vein palm scan. That registration data cannot be readily abused. It can't be latently collected like DNA, fingerprints, and face recognition can (and possibly iris scans). You have to know you are registering/enrolling when it happens. You don't leave evidence of it all over the place. When you go to use it, you know you are using it every time. And on top of all that, it is accurate, fast, reliable, unchanging, live-sensing, and cheap. If you must participate in a biometric, this is the one you should insist on using.
Example: http://www.m2sys.com/palm-vein...
But we also need to realize that IT IS NOT EVERYONE'S BUSINESS WHAT WE ALL DO, where we go, what we buy, who we talk with, WHO WE ARE. The first step in securing freedom is privacy and often means anonymity. When you are identified and tracked, you are losing your freedom, whether you realize it or not.
As someone that was part of the team that pioneered iris recognition in the late 80s, I can say that this is totally the fault of the current software. We had various techniques implemented from the start that would prevent this kind of problem. Controlling multiple IR leds to provide a changing specularity pattern. This would guarantee that the eye was shaped as expected, rejecting all flat copies. Checking for the normal pulsation of the pupil would reject dead eyes. There were various other checks, like verification of facial features (there were two eyes, etc.). Checking for the proper occlusion of the eyelids was also part of the process. With only a few captures our testing has not shown this kind of issue (and we did try perfect eye replication). I've heard this kind of thing from the beginning, nothing new here. Again, we implemented all of these features in our original work, but implementors felt that these should not be included in their products.
It'll be a great reassurance to the bank to know that the bad guys can't get into the vault by holding up an eyeball they've "liberated" from the bank manager. However, it'll be little comfort to the now eyeless bank manager if the bad guys haven't kept themselves abreast of the developments in dead eye detection, or if they decide to give it a go anyway. If some bit of your anatomy holds the biometric keys to something of value, then in addition to all the other problems that get mentioned about biometrics, you're counting on every lunatic out there with a sharpened spoon or a pair of garden shears knowing that it's pointless to scoop out your eye or lop off your thumb. Not very reassuring.
And who would even notice, never mind care, if an AC comment was deleted anyway.
Elitist much?
First of all, anyone that appreciates Slashdot's history of never deleting comments (except that one about Scientology they received a court order to remove, AFAIR) would care.
Secondly, are you seriously saying that all anonymous comments ever are worthless? Really?
-=This sig has nothing to do with my comment. Move along now=-
There was story this week about the police approaching a 3d printing prothestics expert to reconstruct the fingers of a dead guy to unlock an iPhone. They tried the fingerprint image which didnt work.
First Cruise has an eye transplant to avoid discovery. Second he gives his ex-wife his original eye to break him out of prision-stasis.
Having seen the movie Demolition Man, I've always been opposed to biometrics in the first place. My body parts are more important to me than my data!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
You weigh the costs of false positives vs. false negatives, and you're going to accept the false positives every time. Otherwise, some CEO get pissed off because the system won't let him in, and the whole system gets yanked out. So, short answer, no, they can't check for blinking, it adds yet another failure mode,
I've abandoned my search for truth; now I'm just looking for some useful delusions.
The answer is yes. The technology to detect the difference has been around for over a decade, but it's not in any iris scanner for security that I'm aware of.
My Mom and Dad (yes, both of them, this one was actually Mom's idea), hold a patent on a method for using a laser and optical system to measure a bunch of things about the eyeball, including intraocular pressure. It's sensitive enough to not only measure the internal eyeball pressure, but you can very easily see the pulse, and with a bit of clever math, it's even possible to use it to generate a non-contact blood pressure measurement.
So, in short, It's certainly possible to tell the difference between a live eyeball and a dead one in ways that are pretty difficult, and certainly cumbersome, to fake, if you care enough to do so. Combining this with some other methods could easily result in a very accurate system that would also be very hard to spoof...
"The future's good and the present is nothing to sneeze at." - Roblimo's last
It's not elitist to choose what you want to see and what you don't. Can't be arsed to log in or take credit for what you say, then why should I be arsed to read it? That is the exact opposite of elitist, since ANYONE can have an account, so quit trying to reframe the question to something totally bogus.
Are all AC comments worthless? Maybe not - but there's too much NOISE and not enough SIGNAL. The option to hide AC comments would be a huge improvement just in eliminating troll scripts.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Hmmm, the article ignores the fact that a retinal scan is changed by cataracts, glaucoma, log term diabetes, retinal detachment, macular holes, macular degeneration, or massive beta radiation exposure.
I wonder if using IR laser scan instead of red laser scan as the first generation of the tech did would sense living tissue based on temperature?
NRRPT/RCT