Readying Iris Recognition for Prime Time
Authentication Method Needs Some More WorkFederal researchers have reconfirmed the reliability of the iris as an authentication factor. But we're at least three years away from using iris scanning as an advanced method of user authentication for IT systems.
See Also: How to Take the Complexity Out of Cybersecurity
What's holding back iris recognition as an authentication tool to access information on IT systems? Several experts I spoke with this week narrowed the reasons to three: size, cost and culture.
Specialized iris-reading cameras are too big to fit into the form factor of a laptop, smart phone or tablet. To be practical, an iris camera needs to be shrunk to the size of a webcam. For now, most iris cameras are much larger.
Iris-reading cameras are too costly to be economically feasible to build into user devices - even if they could fit. Iris scanners and cameras cost hundreds if not thousands of dollars each. Imagine what that would do to the cost of a laptop of tablet.
Another barrier: The IT security culture. When addressing authentication, many organizations' IT security groups focus on something the user knows (password) or something the user has (token) and not on who the user is (biometric). That type of thinking needs to change. "Frankly speaking, the IT side of business doesn't see biometric security as a real value to them, unfortunately," says Mohammad Murad, a vice president at iris-recognition systems maker Iris ID, a spinoff of LG Electronics. "They're still focused on passwords, PINs, and the RSA tokens type of things."
Iris recognition is commonly used as an authentication tool for physical access to a secured building or room and for identifying frequent travelers traversing the U.S.-Canadian border. The government of India is employing iris-recognition technology to identify citizens for the secure distribution of government benefits. But it's rare for iris biometrics to be used as authentication to access an IT systems.
NIST Studies a Study
Patrick Grother, a computer scientist at the National Institute of Standards and Technology and NIST biometric testing project leader, says the reliability of the iris remains high as an authentication factor. Grother headed a team of NIST researchers that vetted an academic study, which suggests aging could alter the appearance of the iris, making it an unreliable authentication factor. That study of 217 subjects over three years finds that the recognition of the subjects' irises became increasingly difficult, consistent with an aging effect, which was caused by pupil dilation.
But the NIST researchers, in their report Temporal Stability of Iris Recognition Accuracy, didn't reach the same conclusions about the impact of pupil dilation.
"Dilatation is something that algorithm developers have known about since day one, when the first algorithms were produce 20 years ago," Grother says. "A small amount of dilation is akin to a small amount of head rotation in facial biometrics. The algorithm developers attended for it. It certainly changes the similarity score but not to the point where errors are introduced."
Similar to aging, eye drops can dilate pupils, but only in the most extreme cases would there be significant altering of an iris' appearance. "Most typical changes we all experience are not implicated in recognition failure," he says.
NIST researchers also reviewed nine years of iris scans involving millions of transactions from NEXUS, a joint Canadian and U.S. program used by frequent travelers to move quickly across the border. Researchers found no evidence of a widespread aging effect.
'Good to Go'
From a software standpoint, Grother says, iris scanning as a logical authentication tool is "good to go." But he says getting the iris camera's form and cost down remain the biggest challenges.
Iris ID's Murad says his company, as well as competitors, are in the early stages of research and development of incorporating iris-recognition hardware into user devices. But he doesn't see that happening for at least another three to five years. "It's a factor of cost, but the cost can be covered by volume," Murad says.
That's a theme picked up by Marios Savvides, director of Carnegie Mellon University's CyLab Biometrics Center. "People are coming up with stronger passwords, and it gets harder and harder for us to remember them," Savvides says. "We'll just say, 'You know what? I just can't remember this anymore. I need biometrics, no matter what it costs.'"
But for many, cost is still a factor. Yet as more organizations show a willingness to adopt iris-recognition as an authentication factor to access systems and data, that could help to drive down the price and size of the necessary technology. Profit is a great motivator.
"People's preference for user devices will break the barrier and drive the cost down and get it working," Savvides says.
So, readers, what would it take for your organization to adopt iris recognition to authenticate users to access your systems?