Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Biotech

Can Iris-Scanning ID Systems Tell the Difference Between a Live and Dead Eye? (ieee.org) 93

the_newsbeagle writes: Iris scanning is increasingly being used for biometric identification because it's fast, accurate, and relies on a body part that's protected and doesn't change over time. You may have seen such systems at a border crossing recently or at a high-security facility, and the Indian government is currently collecting iris scans from all its 1.2 billion citizens to enroll them in a national ID system. But such scanners can sometimes be spoofed by a high-quality paper printout or an image stuck on a contact lens.

Now, new research has shown that post-mortem eyes can be used for biometric identification for hours or days after death, despite the decay that occurs. This means an eye could theoretically be plucked from someone's head and presented to an iris scanner. The same researcher who conducted that post-mortem study is also looking for solutions, and is working on iris scanners that can detect the "liveness" of an eye. His best method so far relies on the unique way each person's pupil responds to a flash of light, although he notes some problems with this approach.

This discussion has been archived. No new comments can be posted.

Can Iris-Scanning ID Systems Tell the Difference Between a Live and Dead Eye?

Comments Filter:
  • by guruevi ( 827432 ) on Saturday July 23, 2016 @10:56PM (#52568949)

    A pupil's response can be imitated with a video in response to the flash. I work with several types of eye trackers fairly frequently, the eye is relatively slow in responding to stimuli, it's definitely within the realm of a cell phone to play back the image of an eye and it's iris in response, in time to one of these flashes.

    The problem with biometric is that it is considered the end-all of security system whereas it should be considered only part of something (who you are, what you know, ...)

    • by Anonymous Coward

      biometric is that it is considered the end-all of security system

      I have never understood why people think this is the case. It doesn't take a genius to realize that there are a number of ways to get this data, most of which are highly unpleasant, assuming you survive it.

      Plus, if it's compromised once from an appropriately insecure and high-resolution source (e.g. someone takes a picture of your eye in high detail), you're pretty much compromised for life. Some people would say this will never happen, but considering some of the dumbass mistakes that have made security

    • by Anonymous Coward on Sunday July 24, 2016 @01:08AM (#52569323)

      The problem with biometric is that it is considered the end-all of security system whereas it should be considered only part of something (who you are, what you know, ...)

      No. The problem with biometrics is that it builds upon faulty assumptions and fails to address real concerns.

      Somebody fakes my eyescan successfuly once, it loses all future use to me and now I have to scoop out an eye, perhaps replace it with a glass one with some famous person's fake eyescan patterns, to have some use out of it again. But wait, I'd rather keep the eye to see with.

      The logical conclusion is that I don't want my eyes, not even one, be used as a security in this sort of gamble. That means you do not get to scan my eyes, ever, making the idea strictly useless for security, aaa, or whatever else you want to do with it, but instead outright dangerous for my valuable body parts.

      Biometrics is only "hollywood security", where usernames, including the crappy and noisy biometric ones, are taken to be as good as passwords, and "security override" is all you need to get past any hurdle anyway. In the real world, security doesn't magically improve just because we bend over backwards for some camera looking into our eyes. Any biometric is more easily faked than replaced, and that makes them useless for the end-user, in fact outright dangerous to limb, possibly life, because it makes the end-user expendable.

      That means there is only one correct answer to any biometric-anything idea: FUCK OFF with your biometrics, whatever idea you have this week. FUCK OFF ALREADY.

      • Somebody fakes my eyescan successfuly once, it loses all future use to me

        That's the real kicker. Imagine a password written on a yellow sticky, kept in your wallet. A password that is thus easily stolen, lost or duplicated. Now imagine that you cannot change that password, ever.

      • Er, no. Iris or retina scan and most other biometrics are and will continue to be useful: for identifying people in the flesh. Unless you are willing to remove your eyeball and replace it with a replica of someone else's you won't be fooling the security guard at the door.
    • by Anonymous Coward

      Biometric should only be used to identify people accompanied by security persons who can determine of the biometric object being scanned it real or fake. This will require checks to see if the person is wearing contacts or an extra layer of skin, etc. This also requires the security person to immobilise the person who is being scanned to make sure slide-of-hand is not in play.

      Biometric scanners without security are useless, since the biometric object can easily be harvested in public areas.

  • by Anonymous Coward

    Demolition Man did it

  • But one of them is kinda lazy. Will that make a difference?

  • "Now, new research has shown that post-mortem eyes can be used for biometric identification for hours or days after death"

    Sheesh, I saw this on an episode of La Femme Nikita probably a decade or so ago. I could've lent them the DVD, if they'd asked.

  • biometric identification and verification is insecure by its very nature.
    whole concept derives from faulty assumption that identity of a person is securely linked his/her body parts. obviously body parts can be separated from true identity by variety of means ranging from death, amputation, kidnapping and coercion, replication , etc etc.
    other forms of identification and verification based on links to individual's mind and memory, while far from perfect, is more secure.
    even simple forms of that, like passwords, can defeat insecurities created by death, amputation, some coercion, etc etc.

    all rational knowledgeable people should counter absurd biometric identification hype.

    • by ET3D ( 1169851 )

      It's far from perfect, but still much more secure than insecure passwords, which are what we commonly have. It's a lot easier to get passwords (as proved by the many millions of them available online) than to get the biometric identifiers.

      • by Anonymous Coward

        Availability is directly tied to use. We have already got databases of passwords attached to every website that has a login so most break-ins will have a chance to make a copy, if fingerprints iris scans or something else biometric got used in the same way then this would be true of them too, but now you cant change them.

        Biometric identification is a shared password you can never change, and shared passwords are the most insecure of all. Of course you can mitigate against this in physical situations, if

    • by Misagon ( 1135 )

      The biggest fallacy of using biometrics for security is that biometric codes can not be changed.
      Once a biometric code has been cracked then that code is useless forever and you are stuck with it. If a protected resource requires e.g. an iris or finger print but that print is revoked, then you can never use that authentication mechanism every again.
      If someone successfully guesses your password (or encryption key) then you can rescind it and use another.

      Another fallacy is that it is actually not difficult to

  • Yet another case of popular media predicting actual science.

    Seriously, I think there was at least one James Bond ("Never Say Never"?) with this theme as well as one in which eyes were carried around in plastic baggies to break security. I think the big part of this was the "ick" factor to create audience buzz.

  • India is going to find out that iris scanning suffers from all of the same issues as any other biometric scanning device. ALL of them have to turn the scan into a digital representation, which is then used to authenticate or verify identity. The weak point int he process is between the device and the computer. Since that digital representation can be copied and replicated, it is no more secure than any other identification system. It's actually less secure, because it's considered the user name AND pass

    • by vasanth ( 908280 )
      well the AADHAAR system you are talking about has multiple levels of authentication which include iris, fingerprint, OTP to your mobile and password.. and the system does not give out any of these information, any one can use the system to authenticate by the means they deem fit by submitting the authentication details to the AADHAAR service and it will get back with only a TRUE/FALSE response and nothing else.. so as a service provider you can decide the level of authentication required, a bank might deci
  • First they took our jobs, then they took our thumbs, now they are gonna take our eyeballs. When will it end ??

    • Well, if you weren't just sitting around with your thumbs up you butts in the first place, they wouldn't have taken your thumbs! Personally, I'd rather not use biometrics, precisely because of the damage to my body that someone seeking to steal my identity would do.
  • This means an eye could theoretically be plucked from someone's head and presented to an iris scanner.

    Minority Report [wikipedia.org] - duh.

  • you've got Genesis, but you don't have me!
  • You can always take an image of a dead iris scan, manipulate it, and feed that to the camera.

  • Iris scanning suffers from the same fatal flaw that every other type of biometric scanning suffers from. What do you do when my iris scan is compromised? How are you going to issue me a new iris identification?

  • >"Iris scanning is increasingly being used for biometric identification because it's fast, accurate, and relies on a body part that's protected and doesn't change over time. "

    Not really. It is a rather stupid biometric, especially when something exists that is far better in just about every way....

    There is only one safer and practical biometric I know of- that is deep vein palm scan. That registration data cannot be readily abused. It can't be latently collected like DNA, fingerprints, and face recognit

    • Actually, eyes do change over time. My contacts weren't letting in enough oxygen, so blood vessels grew into my eyes. Not sure how much that would affect an iris scan, though.
  • So soon they forget (Score:3, Interesting)

    by ggendel ( 1061214 ) on Sunday July 24, 2016 @06:59AM (#52569929)

    As someone that was part of the team that pioneered iris recognition in the late 80s, I can say that this is totally the fault of the current software. We had various techniques implemented from the start that would prevent this kind of problem. Controlling multiple IR leds to provide a changing specularity pattern. This would guarantee that the eye was shaped as expected, rejecting all flat copies. Checking for the normal pulsation of the pupil would reject dead eyes. There were various other checks, like verification of facial features (there were two eyes, etc.). Checking for the proper occlusion of the eyelids was also part of the process. With only a few captures our testing has not shown this kind of issue (and we did try perfect eye replication). I've heard this kind of thing from the beginning, nothing new here. Again, we implemented all of these features in our original work, but implementors felt that these should not be included in their products.

  • It'll be a great reassurance to the bank to know that the bad guys can't get into the vault by holding up an eyeball they've "liberated" from the bank manager. However, it'll be little comfort to the now eyeless bank manager if the bad guys haven't kept themselves abreast of the developments in dead eye detection, or if they decide to give it a go anyway. If some bit of your anatomy holds the biometric keys to something of value, then in addition to all the other problems that get mentioned about biometri

  • There was story this week about the police approaching a 3d printing prothestics expert to reconstruct the fingers of a dead guy to unlock an iPhone. They tried the fingerprint image which didnt work.
  • Having seen the movie Demolition Man, I've always been opposed to biometrics in the first place. My body parts are more important to me than my data!
  • The answer is yes. The technology to detect the difference has been around for over a decade, but it's not in any iris scanner for security that I'm aware of.

    My Mom and Dad (yes, both of them, this one was actually Mom's idea), hold a patent on a method for using a laser and optical system to measure a bunch of things about the eyeball, including intraocular pressure. It's sensitive enough to not only measure the internal eyeball pressure, but you can very easily see the pulse, and with a bit of clever ma

  • Hmmm, the article ignores the fact that a retinal scan is changed by cataracts, glaucoma, log term diabetes, retinal detachment, macular holes, macular degeneration, or massive beta radiation exposure.

        I wonder if using IR laser scan instead of red laser scan as the first generation of the tech did would sense living tissue based on temperature?

Algebraic symbols are used when you do not know what you are talking about. -- Philippe Schnoebelen

Working...