Blog archive
child and adult iris scans

Blurred future for iris recognition?

The use of iris recognition to ensure security is a familiar concept, and is already used by some federal agencies. Pressured by Congress, the National Institute of Standards and Technology has been developing the necessary standards to enable it to be deployed throughout government.

But there’s a snag. Unlike with fingerprints, which have been used in identity and forensic investigations for decades and are well understood, iris recognition isn’t. Even though the uniqueness of the iris was noted at the same time as that of the fingerprint back in the late 1800s, the technology to exploit the iris has only been developed recently. People are still grappling with some of the fundamental definitions.

One of the question is how long the various iris templates used in biometrics databases are valid, because (so some people insist) the iris changes as people age. That’s not a minor problem. If it’s true, then a significant number of those inaccurate templates could exist at any one time, potentially throwing out false red flags that could cause security chaos.

That particular debate seems to be coming to a head. University and NIST researchers have recently been playing ping pong in an academic argument over this aging effect. Researchers at the University of Notre Dame, for example, produced a study questioning the value of current iris templates. NIST, which runs the Iris Exchange (IREX) as a support for iris-based applications, countered with its own study that downplayed those results. The Notre Dame researchers then came back with their own counter, basically saying NIST had screwed up the methodology it used.

This isn’t the only potential problem with iris recognition. Security researchers have also identified ways that bad guys could essentially copy the digital code for iris scans and reproduce them at will, essentially eliminating that biometric from the identity profile of any affected individual.

It’s not clear if any of this will affect the rollout of iris scanning systems, and the claim for iris recognition as one of the basic biometric supports of future security systems, along with fingerprint, voice and face recognition. Based on the previous assumption of iris recognition as a rock-solid science, agencies have already planned for its extensive use.

The Defense Department has been using iris scans for over a decade in Iraq, Afghanistan and other places to detect terrorists, and it plans to use it for physical access to facilities in combination with Common Access Cards. The FBI wants to use iris recognition in its Next Generation Identification System, the eventual replacement for its famed Integrated Automated Fingerprint Identification System. And Congress has been pushing NIST to come up with the necessary standards for other government uses of iris recognition, chiding officials in committee hearings about not living up to earlier promises.

Other governments around the world aren’t waiting. India has already enrolled hundreds of millions in a national identity system that includes iris recognition. Mexico began using iris scans on ID cards several years ago, and Argentina is also using it in its national identity system.

There are other incentives brewing, not least the use of iris recognition in mobile systems. Apple is reportedly looking at adding iris scans in future systems to the fingerprint identification it already uses, while Samsung on the Android side of things is rumored to also be interested. Since more and more government IT seems to be driven by consumer innovations, that could also accelerate the use of iris recognition in government apps.

However, if there are problems with iris recognition, what would that mean for security? No security technology is foolproof but, based on that “rock-solid” assumption, iris recognition is perceived to be as close to it as you can come. If there really are major flaws that can be exploited, then agencies will be building security systems with unexpected holes in them.

Posted by Brian Robinson on Mar 14, 2014 at 9:43 AM

inside gcn

  • A framework for secure software

Reader Comments

Thu, Jul 31, 2014 Jim Cambier

I'm a little late to this party, but would like to point out a couple of things. First, with regard to iris aging, it is critically important to remember that this will affect only the false nonmatch rate, as Kevin has pointed out. The result is inconvenience, not chaos. And re-enrollment mitigates the problem. Second, on the topic of reverse-engineering an iris template to spoof a system, the obstacles to defeat are myriad. Not only would one have to extract a template from a (hopefully) secure and possibly encrypted database, but having generated an image from it, figure out a way to present that image to an iris camera in a manner that didn't trigger the spoof detection features of most cameras. Generating the image from the template is the easy part.

Tue, Mar 18, 2014 Kevin Bowyer University of Notre Dame

I do not normally participate in blog comments. But a colleague sent me a pointer to this and I am one of the "Notre Dame researchers" whose work is mentioned, so here goes. If anyone would like to have an informed opinion about the merits of iris and fingerprint as general biometric techniques, they should read the Center for Global Development Policy Paper 020 from May 2013. It is based on experience from Aadhaar, where people are being enrolled with both fingerprint and iris. It has some interesting conclusions - "… first conclusion is that iris authentication is more inclusive than authentication via fingerprints. Its FTC rates were much lower" ... "iris authentication was superior. At a common FAR of 0.01 percent, the FRR for fingerprints was 0.71 percent and for iris only 0.22 percent.” Much less is known about fingerprint template aging than is known about iris template aging. You can read the literature and verify this for yourself. The problem that we point out with iris template aging is that it causes an increase in the false-non-match rate. This is not a security issue so much as a user experience issue. If you don't know the difference between a FNM and a FM, you shouldn't be in this discussion. We did say that the NIST IREX VI report contains serious errors in methodology. To the point that it is a throw-it-away-and-start-over situation. If anyone is in any doubt of this, they should take a course in applied regression analysis. Many countries are far ahead of the US in use of biometrics. The US will have to catch up someday, if, say, we want to know who it is holding that passport and boarding that plane.

Mon, Mar 17, 2014 Chris Boehnen

Rick is dead on. While the discussion (not argument) between ND and NIST is important from a research perspective, the interpreatation in this article would seem to imply that ND and other evidence suggests Iris Recognition is not reliable or a good biometric which is absolutely not the case.

Mon, Mar 17, 2014 Rick Lazarick

This article, like many others, trys to cast a negative image on biometrics, in this case iris recognition, but the facts surrounding the topics get left out of the press. Regardint the debate on iris aging, one major omission from this article is the acknowledgement that periodic re-enrollment of iris images (say every 10 years) will resolve any aging effect (if there is one). And the claim of "chaos" is a gross overstatement if the implication is the aging will generate false alarms (or false matches) - the aging effects do not alter the imposter distribution - all research agrees on this point. And, by the way, the research that showed that an iris code could be reverse-engineered to spoof the system came with several caveats about having inside access to the system and it is FAR from easy as this article implies. I wish reporters would consult with scientists before publishing these derogatory articles.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above


HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities

More from 1105 Public Sector Media Group