Biometrics: Essentials of Iris Scanners, Retina Scanners etc. | Cove Security

Biometrics: Iris Scanners, Facial Recognition, Retina Scanner etc.

What is biometric security?

Biometric security is a system that gives access only to specific people, rather than to specific passcodes or devices.[1] Some examples of biometrics would be a hand and finger geometry scanner, a fingerprint lock (probably the most common to date), a facial scanner, a retinal scanner, and an iris scanner.[2] These biometric methods can either replace or bolster traditional methods of security, such as a passcode, a PIN, or a dual-factor authentication method (such as pushing a button on your phone to access a website on your computer). There are pros and cons to each of these methods, and some are certainly more secure than others, but none of them is perfectly secure and reliable with the current available technology. Before we can understand which method of biometric security is the best, we need to understand a couple of key definitions and differences:

What is the difference between a hand and finger geometry scanner and a fingerprint lock?

A hand and finger geometry scanner is not dealing with fingerprints at all. While it does scan all of the fingers, it does not analyze any of the fingerprints.[3] The hand and finger geometry scanner is simply dealing with the size of the hand, the length and width of each finger, and the shape of the hand as a result of the finger sizes.[4] A fingerprint lock, on the other hand (no pun intended), does not deal whatsoever with the size or shape of the hand or fingers, but rather picks up and analyzes the fingerprint of one particular finger. (Although most fingerprint locks can register more than one fingerprint to allow access to more than one person— or more than one finger of the same person— they still deal with only one fingerprint at a time).

What is the difference between a retinal scanner and an iris scanner?

Quite simply, both a retinal scanner and an iris scanner take rapid photos of the eye, but a retinal scanner takes photos of the retina while an iris scanner takes photos of the iris. Both the iris and the retina have unique patterns that are different even in identical twins. There are, however, some differences in the functionality of each type of scan.

The most important difference between a retinal scan and an iris scan is probably the convenience and the non-invasive process of the iris scan.[5] While a retinal scan requires a person to put their eye up to an eye piece for about thirty seconds,[6] an iris scan only requires a quick snapshot of the eye and does not require a person to put their eye up to any eyepiece whatsoever. For this reason, a retinal scan is considered invasive, while an iris scan is not, and more people are willing to submit to an iris scan than to a retinal scan.

What is the difference between a face scanner and a retinal or iris scanner?

A face scanner looks at the shape of the entire face, while a retinal or iris scanner focuses only on the eye. Face scanners are less accurate than iris or retinal scanners, because face shape is not a completely unique characteristic the way that iris and retinal patterns are. However, face scanners can work from a much greater distance, meaning that they work very well for surveillance purposes because they can pick out a particular face from a crowd using facial recognition AI.[7]

Which type of biometric security is the most reliable?

Humans change over time, particularly very young humans or very old humans, but really all of us are subject to physical changes. So if we’re constantly changing, which type of biometric security is the most stable and able to account for these changes?

Hand geometry scanners and face scanners are the least reliable biometrics because both hands and faces can change size or shape significantly in a fairly short window of time due to routine events such as weight gain or loss.[3] However, this lack of total reliability does not make hand and face scanners useless in everyday situations. For example, many workplaces use hand geometry scanners for their clock in/out systems in lieu of ID cards. In the case of significant hand changes due to weight gain, weight loss, or pregnancy, these workplaces simply re-enroll that employee, or take a new base-scan of their hand.[3] Because the stakes of clocking in or out of work are relatively low (and ultimately correctable by a supervisor), the chances of a hand shape changing are not a deterrent for workplace use of a hand geometry scanner.

Fingerprint scanners are quite a bit more common than hand geometry scanners, possibly because fingerprints tend to be more stable than hand geometry. Fingerprints can change over time, but they change much less easily than hand geometry— i.e. a fingerprint will change if a person gets a cut that scars across the pad of the finger in question, or, more dramatically, a fingerprint will no longer be an effective means of authentication if a person loses their finger.[7] More common than drastic finger alteration— but equally problematic — is the presence of dirt, grease, or oil on the fingers, which disrupts the fingerprinting process and makes it difficult— if not impossible— to authenticate or identify a person.[7]

The retina cannot be affected by dirt or grease, since it resides inside of the eyeball. However, the retina can change over time as a result of a number of health issues, including diabetes and glaucoma.[5] These diseases are less likely than finger scars. Additionally, assuming that a person’s finger did not change and a person’s retina did not change, retinal scanning would be the more reliable biometric because retinal scanners take in more detail than fingerprint scanners, meaning that they are much less likely to return false accepts. However, as a result of the retina changing in response to quite a few health issues, retinal scanning is not perfectly reliable.[5]

Iris scanning— considered “to be ten times more accurate than fingerprinting”[1] is the most reliable biometric currently available. While the iris is plainly visible on the outside of the body, it is technically an internal organ because it is protected behind the cornea.[5] Since the iris is technically internal, it is not more likely than the retina to pick up dirt or debris. However, unlike the retina, the iris does not change with diseases such as glaucoma or diabetes.[5] While the iris can change during a person’s life, it tends to be stable after the age of one or two, and even if it does change it tends to be stable for at least a decade at a time.

Which type of security is easiest to trick?

On a first consideration, biometric security seems so much safer and so much more secure than passcode-protected security: somebody could figure out my passcode, but nobody has my finger, or my retina, or my iris. Unfortunately, a determined hacker or intruder can break even biometric security.

You may have seen the movie National Treasure,[8] in which Ben Gates (Nicolas Cage) steals both a fingerprint and a passcode from Dr. Abigail Chase (Diane Kruger) in order to gain her researcher access and steal the Declaration of Independence (certainly a document which should be impossible to steal).

So is it easier for Gates to steal Dr. Chase’s fingerprint or her passcode? Seemingly Dr. Chase’s fingerprint, which he lifts off of a champagne glass at the gala. In order to guess her passcode, Gates sends Dr. Chase a valuable gift, which he has coated in a chemical that shows in neon green under black light. He then can see which keys she hit on the passcode keyboard, and runs the letters through a passcode-breaking program, which still doesn’t guess the passcode. Luckily for Gates, he and Dr. Chase share a deep enthusiasm for history, which allows him to guess that her passcode is ‘Valley Forge’. It seems that the moral of this story is that you should not accept gifts from practical strangers, even (or perhaps especially) if they are nice gifts (which is a good lesson— don’t accept gifts from strangers!). However, had Dr. Chase not accepted the gift— and had the Declaration been protected only by a fingerprint lock, Gates could still have stolen the Declaration of Independence.

It is true that a passcode-breaking algorithm will eventually, given infinite guesses, find a passcode. However, eventually doesn’t really matter if it takes an unreasonably long time to guess correctly, and if you don’t write down a passcode anywhere or re-use a passcode anywhere, and you use a strong passcode, it can take millions, billions, trillions, or even more years for a computer to guess your password. The other trick is that your password has to be random enough that another human couldn’t easily guess it. (So ‘Valley Forge’ was a bad choice for Dr. Abigail Chase because it is a known fact that she is a big history geek, making it a relatively easy password to guess, especially given that Ben Gates knew which letters she had used).

The other consequence of biometric security is that if a thief or hacker steals your biometric information, you can’t change it the way that you can change a passcode.[9] Of course, most biometric security systems claim to store only ID patterns made from biometric information, and not the information itself, but Claire Gartland explains that “the growing rate of data breaches in [the banking] industry casts doubts on those kinds of promises” in a 2016 New York Times article.[9]. However, even assuming that companies don’t store biometric information, this safeguard does not fix the danger of thieves stealing actual biometric matter.

Originally, researchers were fairly confident that the iris of a dead person would not work in an iris scan because the blood vessels would deteriorate too quickly. However, later studies found that the iris of a dead person could work on an iris scanner for at least a few days after the person had died.[10] That being said, the likelihood of a thief killing a person and using their dead eyeball to break into their security is thankfully low— unless that person has access to something particularly valuable— say a lot of money, or something of great national or scientific value. Luckily, “researchers have trained a machine-vision system to tell the difference between dead irises and live ones” according to a 2018 article in the MIT Technology Review.[11]

Even though researchers have now solved the issue of a dead person’s iris working on an iris scanner, this issue highlights an important point in debates about biometric security: it’s still relatively new technology, and there may be problems that we do not yet understand or have not yet anticipated.

When is biometric security a good idea?

That being said, a lot of us use biometric security every day. Many of us have fingerprint locks on our phones or laptops, or even face or iris scanners.[12][13] More and more people have biometric gun safes (which usually work based on fingerprint locks).[14] Most of these biometric security devices are backed up with the option to have a PIN or passcode, in case the biometric ID fails (which it somewhat often does). A lot of biometric gun safes are backed up with a physical key rather than a passcode, which is supposed to make it more difficult for the owner’s children to gain access to the guns.[15]

For these types of personal things— things to which, in most cases, hackers and thieves are not actively trying to gain access— biometric security vs a traditional PIN or passcode is a matter of personal preference. However, sometimes the stakes are higher with these items than other times.

Are biometric gun safes a good idea?

Most biometric gun safes are intended to make a personal handgun easier and quicker to access in the dark in the case of a home intruder.[15][16] Ideally, a person can use their fingerprint to unlock the gun safe, saving them the time and noise of trying to enter a PIN or use a physical key. However, the fingerprint locks on biometric gun safes can be just as unreliable as any other fingerprint lock, meaning that if the finger is at the wrong angle, the safe will likely not open; if the finger is dirty, the safe may not open; and if there are too many fingerprints stored in the program, the safe may take longer than anticipated to open.[15]

Since biometric gun safes tend to have a backup option (usually a physical key), there is probably no harm in having the option of using a fingerprint lock to open the safe, assuming that the user always keeps the backup option handy.

Is it better to use a PIN or a biometric system