Seeing is believing

Iris-recognition systems provide highly secure authentication.

We hope that the last time you gazed into someone's eyes you weren't thinking of network security. Luckily for network administrators and security chiefs, some people do think of eyes more as biometric identifiers than as windows to the soul.

The eye's retina and iris can be used for biometric security, and they are considered to be among the most accurate and foolproof biometrics available today. Retinal scanning reads the pattern of blood vessels at the back of the eye and is used almost exclusively in high-end security applications such as military installations and power plants.

Each iris — the colored portion of the eye — is unique and contains more than 200 identifiable points such as rings, furrows and freckles. In fact, one person's two irises are different from each other, as are the irises of identical twins.

Further, iris recognition has virtually no false acceptance rate and an extremely low false rejection rate.

The iris' pattern remains constant throughout one's life, and upon death, its tissue deteriorates faster than most other body tissues. Therefore, the idea of killing someone and stealing an eye to use for identification remains firmly rooted in science fiction.

What's more, the iris is extremely difficult to fake. After a successful attempt a few years ago in which a high-quality printed iris image was combined with a live pupil, the technology was modified to look for a telltale signature created during the printing process.

Some systems also contain safeguards against being fooled by prosthetic eyes or patterned contact lenses. One way to do this is by varying the amount of light shined into the eye and checking for pupil

dilation.

So far, only one algorithm exists for converting the iris image into a 512-byte digital code or template. A company called Iridian Technologies Inc. holds the sole rights and licenses the technology to other companies. But the original patents on using the iris as a biometric identifier will expire in a few years, allowing companies to write their own algorithms, and the field could experience major growth.

For iris recognition, a camera records a black-and-white video image of the eye, then grabs frames to capture a still image from the live video. Very low levels of infrared light — the same strength as that in a TV remote control — are used to illuminate the iris.

The algorithm that converts the image to a template is simple enough to allow extremely fast matching in the range of 100,000 templates per second on a 300 MHz computer. Therefore, iris recognition is well suited for identification, or one-to-many matching, as well as verification, or one-to-one matching. Most other biometric systems can only perform verification because the templates are larger and it would take too much time to search through all of them.

Iris recognition is most commonly used for physical access but it can also be used for computer security on networks and stand-alone machines. The technology is especially useful for places where fingerprint technology is not practical, such as sterile labs. It is also being used for airport security, border control, criminal booking, and time and attendance checking at workplaces. Physical access systems can be used in combination with a smart card for more security.

For all its advantages, iris recognition has some drawbacks that are roadblocks to wider adoption. Perhaps the most significant is user perception. Many people are uncomfortable with the idea of a device shining a light into their eyes.

Another drawback is the high cost of the proprietary cameras, mostly due to the fact that not enough of them are being built. The cameras need to incorporate a specialized light source to illuminate the eye, which does not lend itself well to economies of scale.

Finally, iris-recognition cameras require a fair amount of coordination for users to position their eyes properly for scanning. In our experience, even the easiest devices take a bit of practice before someone becomes reasonably proficient.

We tested three iris-recognition systems and were surprised to see how much the hardware can differ. Nevertheless, all of them captured high-quality images and authenticated them almost instantly when the iris was in the proper position.

In all cases, users must remove their glasses when enrolling but can wear them for authentication. We found that wearing glasses made no difference in the speed or ease of authentication. Nor did varying lighting conditions, as long as there was no bright backlight and the room was not too dark. The main difference among the products we tested was their ease of use.

We looked at computer-access systems from Oki America Inc. and Matsushita Electric Corp. of America, both of which also offer physical access-control systems. The third vendor, LG Electronics, does not make a computer-access system so we reviewed the physical access system.

The software packages that came with the first two systems were similar. LG's software differed the most because it incorporates functions unique to physical access control.

LG IrisAccess 3000

The full LG system consists of multiple components, including an enrollment camera unit, one or more wall-mounted cameras and one or more PCs to perform enrollment and management functions. Multiple remote units can connect to one server through a local-area network (LAN). Users supply the server and any other PCs.

IrisAccess 3000 also comes with other hardware components such as the LG Identification Control Unit (ICU3000), a box that stores biometric templates and is mounted in a secure area.

For testing purposes, LG officials sent us an enrollment camera and a mini-PC preloaded with the company's proprietary IrisAccess 3000 software.

The enrollment device is called the Enrollment Optical Unit (EOU3000). "Enrollment" refers to the process of capturing multiple iris images to create high-quality templates.

The EOU3000 is about the size of a large shoebox. The camera is mounted inside a moveable sphere within the larger unit, similar to a moveable doll's eye, and is connected to a server in a supervised environment. You can easily adjust the camera's vertical angle.

To position the iris properly for capture, a user looks into a mirror with a rectangle drawn on it and moves until the eye is reflected inside the rectangle. The eye should be between

3 inches and 10 inches from the camera. We liked this procedure because it was easy to tell when the eye was in the right place.

What's more, the unit gives voice instructions to help you attain proper positioning. For example, if you are too close, it says, "Please move back a little." It also tells you when authentication is complete or if the system was unable to identify you.

It took a few tries before we got a good feel for how close we needed to be, but the voice prompts helped.

The unit was much more sensitive during enrollment than during authentication, which makes sense because the system needs high-quality images to create templates. After the capture, LG's software shows a box indicating the quality of the captured image. At this point, you can recapture the image if you want to try for higher quality.

Only administrators can carry out the enrollment process. You may enroll just one eye, but it is better to do both in case of injury.

Another reason to enroll both eyes is LG's "warning eye" feature. For instance, if an intruder forces a user to authenticate, the person can use his or her warning eye. The system grants access, but an emergency message is sent to the server.

Another security measure is LG's fake-eye detection feature. When the feature is activated, the system cannot be tricked by pictures, prosthetic eyes or patterned contact lenses. For security reasons, company officials declined to disclose exactly how this works, but David Johnston, LG's vice president of marketing, said it incorporates features in the hardware, optics and software to prevent the enrollment of 2-D or 3-D iris representations.

Once a good image is captured during enrollment, the

administrator fills out a computerized form with the user's information, which can even include a photo. If a smart card reader is being used with the system, you can enter that information as well. Additionally, a visitor option allows the administrator to set specific dates and times during which that user is allowed

access.

IrisAccess 3000 can perform both identification and verification. Identification locates user information using only the iris image while verification also requires a user ID. Then, the software compares the image to the stored template for that user.

The template is encrypted by the Advanced Encryption Standard before being stored in the server database and on the ICUs. When a user authenticates at a remote unit, the presented image is compared to stored values in the ICU at that portal. If a match is found, a signal is sent to allow access.

For security, a secret key is generated during the system's initial installation. If the system is set to high security, the remote unit must retrieve the key from the server every time the system reboots, thus ensuring that the unit is connected to the server before it can be used. With the low-security setting, the key is stored on the remote unit, which does not need to connect to the server to identify enrolled users.

IrisAccess 3000 is a robust, secure system that is easy to use. Because of its relatively high cost, it is sold primarily to customers who need extremely high security or sterility, such as clean labs for pharmaceutical companies.

Oki Irispass-h

Oki's Irispass-h system for computer access includes a small, handheld USB camera, SAFLink Corp.'s SAFsolution software and Oki's proprietary Biometric Service Provider (BSP) software module.

We used SAFsolution Workstation Edition to test the product on a stand-alone machine, but an enterprise edition is available for client/server installations.

The system supports the Biometric Application Programming Interface, the latest multibiometric interoperability standard, as well as the older Human Authentication API. Compliance with these standards allows iris systems to be integrated into applications such as SAFsolution.

Because the Oki camera is designed to be held in the hand instead of placed in a stationary position, it is particularly well suited to mobile applications. The trade-off, however, is that the Oki device was the hardest to use of the three cameras we reviewed.

To capture an iris, you must hold the camera 1.5 inches to

2 inches from the eye. You can either click the Capture button in the software interface or, more conveniently, press a button on the unit.

To position the eye correctly, you must locate a blinking green rectangle inside the camera's window and make sure the eye's entire outline shows. This is harder than it sounds because the rectangle is blinking and it's difficult to keep your hand still and in just the right position. As a guide, a beeping sound and the blinking rectangle stop when the iris is in the right position.

You can check the quality of the image by viewing it on the screen after capture. The software draws two white circles: one around the pupil and the other around the outer rim of the iris. If the two circles are placed properly, the image is good.

You can also check ratings for focus value and iris visibility. Both should be rated excellent, but if a user is having a lot of difficulty, anything rated good or above should be acceptable.

The enrollment and verification procedures described above are carried out by Oki's BSP, which integrates with the SAFsolution software. BSP also converts the iris image into a template that is stored in the database.

SAFsolution is a biometric authentication-management solution that integrates with the log-in process to replace passwords with biometric authentication. It can manage multiple biometrics at once. For example, you could use an iris scanner and a fingerprint scanner to authenticate on the same machine.

When a user logs in, the SAFLink software communicates with the Oki software and activates it so that the user is prompted to present the iris to the camera. The iris template is then processed through Oki's BSP. When the user is authenticated, SAFsolution translates this information back to Microsoft Corp. Windows' log-in feature and access is granted.

As a safety measure in case of biometric failure, all Irispass-h users are required to have a backup password.

SAFsolution contains several notable features. One, Fast Login, allows users to bypass the Windows log-in dialog box. They can simply present the biometrics and automatically be logged in.

Administrators responsible for many systems will especially appreciate the self-enroll option, which allows users to complete the enrollment process with no administrative assistance. Without this feature, administrators would have to enroll each person.

A useful self-paced tutorial facilitates self-enrollment by helping users familiarize themselves with the biometric enrollment and authentication process.

Administrators can also set the software to require authentication before users can unlock workstations.

Although Oki's camera is somewhat tricky to use, it's the

only mobile one we tested. It is backed up by a robust, flexible

authentication-management system well suited to large

deployments.

Panasonic Authenticam

The Panasonic Authenticam computer-access system features a USB camera made by Panasonic, a division of Matsushita Electric; a BSP called Private ID made by Iridian and an authentication-management solution called SecureSuite made by I/O Software Inc. Private ID can also be used for stand-alone applications on individual computers.

In addition to the iris-capture capability, you can use the

Authenticam for video e-mail messages access to LANs and wide-area networks, and Internet-based videoconferences.

This camera was extremely easy to use, partly because of the relatively large capture distance — 19 inches to 21 inches. This meant we could sit at our computers and glance up at the camera, which Panasonic suggests placing on top of the monitor.

For proper eye placement, you must focus on a large orange dot that lights up inside the camera. The dot was easy to locate and center within the lens opening. A shutter clicking sound plays through the computer's speakers when a good image is taken.

SecureSuite is similar to SAFsolution, allowing Windows passwords to be replaced with one or more biometrics. Like SAFsolution, it is policy-based and can manage multiple biometrics.

Our Authenticam system came with SecureSuite 3.5, which provides server-based authentication. SecureSuite can also

manage tokens and smart cards in addition to biometrics and passwords.

The software features a convenient single sign-on application called SecureSession for both Windows applications and Web sites accessed through Microsoft Internet Explorer. Single sign-on allows users to replace multiple passwords and user IDs with one biometric or password.

To enable this feature, you must first register applications and Web sites with the system. When SecureSession encounters a log-in dialog box for an application or site, it checks to see if it's registered. If so, it can require authentication before filling out the user information or it can automatically enter the user information if the administrator has set the policy to allow that.

Through user policies, SecureSuite offers log-on, file, folder and application security. For example, administrators can require authentication before users can copy, delete, move, open or rename secure files and folders. Policies can also be set to require authentication before securing and unsecuring files and folders.

Securing a folder is a simple matter of right-clicking and

selecting "secure" from the menu. To secure files, just drag them into the secure folder. If you need to work with secure files, you need to take them out of the folder and save them to a different location. To resecure them, save them back to the secure folder.

We were impressed with Authenticam. We found the camera easy to use, and the included management software offers the convenience of single sign-on and the protection of secured files.

The bottom line

When selecting an iris-recognition system, whether for physical or computer access, one of the important features you should look for is ease of use. If a camera is too difficult to use, it will slow down productivity. For network access systems, consider whether the installation will be stationary or mobile. Finally, look at the features offered with the authentication-management software solution and be aware that some offer features others do not.

NEXT STORY: Cisco, IBM team up