Iris-centric law enforcement
While most organizations use iris recognition as an additional authentication resource, law enforcement agencies in Missouri have made the technology central to everything they do. Missouri was the first state to use iris recognition as the core platform on which to build a statewide law enforcement records management and jail records management system for tracking people as they pass through the criminal justice system, says Mick Covington, director of the Missouri Sheriffs' Association.
The new system, purchased from MorphoTrust and used by sheriff's offices and the Missouri Department of Corrections, starts tracking people the moment they're arrested and booked.
"When someone comes into one of our jails, you get a read back in three seconds that tells you who they are and where they were last," Covington says. Deployed in 55 of the state's 115 counties to date, the system is used by county jails to, for example, identify people, check them in and out for court dates, and make sure medication is delivered to the right person at the right time.
The system will eventually upload iris data to a state repository that will in turn upload the data to the FBI's Next Generation Identification (NGI) database. The fact that the system doesn't require touching the individual is an advantage in a prison setting, Covington says, and the technology requires minimal staff training. "The quality of the images is much better now," he says. "And the machines are more user-friendly and more durable. They're cop-proof."
Iris recognition technology is continuing to evolve and outgrow its spy novel image, as is the manner in which users interact -- or don't interact -- with the systems. The technology is moving beyond what HRS's Norman calls a "coerced method of acquisition" -- exemplified by the types of systems historically used at border crossings and in prisons -- to a more social technology. "Social is if I go to a store and take a soda from a machine using a biometric," he says. "We're on the edge of moving into a personalization stage and away from this security/paranoia type of application. That's the next phase."
Hacking the iris
Is iris recognition vulnerable to hacks? While it's technically possible to create scenarios to fool iris recognition systems, Patrick Grother, director of biometric standards and testing at NIST, says pulling it off in the real world would be a challenge.
The possibility of spoofing iris recognition systems was addressed during a 2012 Black Hat conference presentation by Javier Galbally. In his talk (summarized in a story on the Electronic Frontier Foundation's website), Galbally argued that iris recognition systems could be fooled by synthetic images that match digital iris codes linked to real irises.
But the process described would require the hacker to steal a template or iris image for the person the hacker wanted to impersonate and then run an iris recognition algorithm against it repeatedly to produce a digital image that would match the eye of the person whose template was stolen, Grother says. "The paper did not address how to [steal] the biometric data or how to then present it to a system successfully," he says.
Another academic researcher, Oleg Komogortsev at Texas State University, argues that it's possible to take a picture of someone's iris from a distance, create a high-resolution printout and successfully present that to an iris recognition system.
Komogortsev advocates for an alternative approach based on tracking eye movements instead of using a still photo of an iris. But Grother says that the cameras themselves have countermeasures designed to detect paper-based photographic images. And under real-world conditions, eye tracking is difficult. For example, pictures often contain reflections from ambient light on the eye, and you get very little detail for people with brown irises, which absorb light. That's why developers of iris recognition systems use specialized cameras designed to use near-infrared illumination instead of natural light, he says.
Read more about security in Computerworld's Security Topic Center.