Risk
8/28/2013
01:46 PM
50%
50%

Eyeball Scans Stay Accurate Over Time, Says NIST

National Institute of Standards and Technology research says aging doesn't hurt reliability of iris images to identify individuals.

Iris Scans: Security Technology In Action
Iris Scans: Security Technology In Action
(click image for larger view)
Researchers investigating the use of iris recognition for biometric identification have concluded that aging doesn't affect distinguishing characteristics of the average person's iris for almost a decade. The findings, reported by National Institute of Standards and Technology (NIST) researchers, suggest that identity program managers may not need to recapture iris images as frequently as generally thought to maintain recognition accuracy, NIST officials said.

Whether that will prompt more agencies to embrace iris recognition as a reliable method for identifying individuals remains an open question, however.

In their report, "Temporal Stability of Iris Recognition Accuracy," researchers in NIST's Information Access division found "no evidence of a widespread aging effect" and "no degradation in overall recognition accuracy" over a nine-year period. The NIST research is the most comprehensive study ever undertaken of the stability of iris characteristics over long periods of time.

The NIST researchers based their study on two vast data sets, including one of nearly 8,000 frequent travelers across the Canada-U.S. border that involved millions of captured iris images. The travelers used an iris identification system deployed as part of a joint Canadian-U.S. program called NEXUS designed to help recurrent travelers move quickly across the border. The travelers used the system for at least four years and up to nine years. Researchers also analyzed a larger, but less well controlled set of anonymous statistics collected over a six-year period.

[ Learn more: read Eye Scans Meet Federal ID Cards. ]

Ultimately, they said, the study suggests that "iris recognition of average individuals will remain viable over decades," said NIST biometric testing leader Patrick Grother, adding that he hoped that the methods NIST scientists developed for the aging study will be applicable to other biometric aging research such as face aging.

Will the conclusions reached in NIST's study cause security managers to consider iris recognition as a stronger option for identity management?

John Pescatore, director of emerging security trends at the SANS Institute, an information security research and education organization in Bethesda, Md., was circumspect about the results of the study.

"For enterprise use of biometrics, long-term changes in biometric characteristics are not a major issue since most employees do not stay at one [organization] for more than five years," he told InformationWeek Government.

Even if the unique identifying characteristics of the iris remain stable over long periods, there is still the issue of accuracy in biometric identification, he added.

A 2012 NIST study of iris recognition technology, the "Iris Exchange III" report, found a significant variation in accuracy rates, between 90% and 99%.

"Ninety percent accuracy just isn't good enough," Pescatore said. "If 10% of legitimate employee access is denied, that is a disaster operationally."

The major reason biometrics has seen limited use in enterprises or government agencies is that no form of biometrics is "yes/no," he said. "Biometrics will always have both false positives and false negatives and various thresholds that can be set between the two," he said. "For all their weaknesses, passwords or hardware tokens are yes/no. Either you got the password right or you didn't; either you had the token or you didn't."

The researchers at NIST acknowledged that their latest iris recognition study was intended to quantify natural aging effects in a healthy population, and medical conditions and injuries can "rapidly and severely" affect recognition. They also termed the results of their study "provisional pending the application of refined statistical techniques to larger and richer data sets" and other factors.

The NIST reports are part of ongoing research into iris identification. The agency established the Iris Exchange Program in 2008 to give quantitative support to iris recognition standardization, development and deployment. Sponsors of the program include the FBI's Criminal Justice Information System Division and the Office of Biometric Identity Management in the Department of Homeland Security.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.