If the iris changes as people age, then ID systems based on iris recognition could cause security chaos.
The use of iris recognition to ensure security is a familiar concept, and is already used by some federal agencies. Pressured by Congress, the National Institute of Standards and Technology has been developing the necessary standards to enable it to be deployed throughout government.
But there’s a snag. Unlike with fingerprints, which have been used in identity and forensic investigations for decades and are well understood, iris recognition isn’t. Even though the uniqueness of the iris was noted at the same time as that of the fingerprint back in the late 1800s, the technology to exploit the iris has only been developed recently. People are still grappling with some of the fundamental definitions.
One of the question is how long the various iris templates used in biometrics databases are valid, because (so some people insist) the iris changes as people age. That’s not a minor problem. If it’s true, then a significant number of those inaccurate templates could exist at any one time, potentially throwing out false red flags that could cause security chaos.
That particular debate seems to be coming to a head. University and NIST researchers have recently been playing ping pong in an academic argument over this aging effect. Researchers at the University of Notre Dame, for example, produced a study questioning the value of current iris templates. NIST, which runs the Iris Exchange (IREX) as a support for iris-based applications, countered with its own study that downplayed those results. The Notre Dame researchers then came back with their own counter, basically saying NIST had screwed up the methodology it used.
This isn’t the only potential problem with iris recognition. Security researchers have also identified ways that bad guys could essentially copy the digital code for iris scans and reproduce them at will, essentially eliminating that biometric from the identity profile of any affected individual.
It’s not clear if any of this will affect the rollout of iris scanning systems, and the claim for iris recognition as one of the basic biometric supports of future security systems, along with fingerprint, voice and face recognition. Based on the previous assumption of iris recognition as a rock-solid science, agencies have already planned for its extensive use.
The Defense Department has been using iris scans for over a decade in Iraq, Afghanistan and other places to detect terrorists, and it plans to use it for physical access to facilities in combination with Common Access Cards. The FBI wants to use iris recognition in its Next Generation Identification System, the eventual replacement for its famed Integrated Automated Fingerprint Identification System. And Congress has been pushing NIST to come up with the necessary standards for other government uses of iris recognition, chiding officials in committee hearings about not living up to earlier promises.
Other governments around the world aren’t waiting. India has already enrolled hundreds of millions in a national identity system that includes iris recognition. Mexico began using iris scans on ID cards several years ago, and Argentina is also using it in its national identity system.
There are other incentives brewing, not least the use of iris recognition in mobile systems. Apple is reportedly looking at adding iris scans in future systems to the fingerprint identification it already uses, while Samsung on the Android side of things is rumored to also be interested. Since more and more government IT seems to be driven by consumer innovations, that could also accelerate the use of iris recognition in government apps.
However, if there are problems with iris recognition, what would that mean for security? No security technology is foolproof but, based on that “rock-solid” assumption, iris recognition is perceived to be as close to it as you can come. If there really are major flaws that can be exploited, then agencies will be building security systems with unexpected holes in them.
NEXT STORY: Wi-Fi virus: Much ado about (almost) nothing