Robert A. Costner <pooh@efga.org> wrote:
As wonderful as eye scanning technology may sound, it promises to offer very weak identification and only be reliable in the short run. This is based on the premise that a reproduction of an eye will work as well. Just as a reproduction of a driver's license seems to work for check forgery.
With respect, I disagree. I think it is quite likely that an iris-scan technology can effectively differentiate between a living eye and a reproduction (or, as one of my many correspondents on this topic suggested, an eye forcibly removed from the socket of a potential fraud victim.) In any case, the issue of false positives/negatives will be settled with evidence. I think the technology will probably be useful, in those terms. My concern is rather with who owns and controls the scan data from an individual's own eye: whoever scans him or her? Scans at a distance? Surreptitiously? Whatever entity claims the right to validate or authenticate the individual's identity, for his or her own good? for the public good? If the value of eye-scanning (or any other type of biometric authentication) is to be short-lived, it will be because the scan-data itself will be poorly held, or transferred insecurely. While it may be difficult or impossible to fake out the camera with a phony eyeball, it will _certainly_ be possible to inject a copy of the proper scan-data somewhere into the linkage between the camera lens and probably remote authentication server which will support it. The inherent weakness of biometric identifiers is that, if (or when) there is a breach in the authentication system (or the access controls or crypto system which secures the database which supports it,) it will be impossible to correct the situation (as we might issue a new ATM card or smartcard, or a new SecurID, or change a user's password.) The real victim of a poorly-designed authentication system which uses biometrics will be the citizen/consumer who trusted his (irreplacable, being often single and unique) biometric scan to an entity which handled it with improper care and precautions. My sarcastic reaction to Jonathan's initial post was in reaction to his report that some commercial banking organization was planning to surreptitiously collect these iris scans and use them to replace user-memorized PINs for validating cash disbursements. (Jon tells me that he originally heard this version on AM radio is San Francisco: the Barbara Simpson show, KSFO 560AM, which he has found an often-reliable source.) I still consider this unlikely -- if for no other reason than the fact that banking regulators (i.e., insurers) would never allow it. There is, of course, a whole set of political and sociological issues which revolve around the rough equivalence of effective biometric system, and the database which will give it value, and the traditionally feared "national ID" paper-document system. Jonathan's initial post validly raised that fear. There is also an important public-policy discussion in the question of whether the commercial value of such a system (and its database) to consumers will again tempt the mass of (US) citizens into voluntarily giving up control over this authentication technology (for easy credit or faster and bigger ATM withdrawals) to business... for the government to later take advantage of as it will, when this aspect of our privacy is just another commodity. [Much of American privacy has already been traded off by our citizens in a similar fashion. Europe, where privacy was redefined when governments extended citizen property rights to include information about that citizen, presents a different model. With some problems, which Libertarians are prone to stress;-) and some valuable protections.] (Did anyone note the European Commission's denunciation of US crypto policy specifically noted that forcing European citizens to include a message-recovery mechanism for government eavesdropping in their legal e-mail or other electronic message systems would probably be a violation of privacy rights commonly held by all citizens of the European Union?) Biometrics (something you are) is one of the three classic mechanisms by which we convince a computer that we are indeed someone whose identity was previously registered with the computer: something one knows (password, PIN,) something one has (token, smartcard, ATM card,) or something one is (the biometric.) Biometric identifiers, because they are static -- and thus, inherently subject to replay attacks from _somewhere_ in their process or procedures -- will likely always require confirmation from other authenticators. Certainly they will require a secondary confirmation before they are used to validate an active transfer of value like an ATM's disbursement of cash. (The lawyers and auditors will demand it.) I actually expect that the current standard for "strong authentication" in business practice -- "two factors;" typically a password and a token/card (often enhanced with a one-time password generator, which provides proof that the token is in the users hand at the moment the authentication code is generated) -- will soon be expanded to three. It is far more likely that auditors in the future will define "strong authentication" systems as requiring (1) a user-memorized PIN, (2) a token, and (3) a biometric, than that they will do away with the requirement for either the PIN or the token. Tokens (by classical definition, personal and mobile, usually pocketable) are becoming personal repositories for encryption and digital signature keys, eventually secure crypto-engines, so these hand-held authenticators will likely become even more valuable. And a PIN or password will, at the very least, still be required to secure the smartcard's internal data so that the crown jewels are not readily available to every pickpocket. The interesting question is what sort of controls will be placed (probably by legislation) on second or third party access or traffic in consumers'/citizens' biometric data. It may be that all parties (citizens, government, business) will have a common interest in holding systems which capture or store these data-files to a very high infosec or crypto standard in order to keep biometric files from falling into the realm of meaningless index data (like Bob's example of the US social security number.) The use of biometrics as an authenticator will have commercial value -- to the citizen/consumer and to commercial entities -- only if the biometric scan-data is handled securely and respectfully. The use of biometrics as an administrative tool is probably inevitable -- something we already see with photographs and fingerprints (which are, of course, also biometrics.) And as machines are better adapted to scan for fingerprints, or faces and irises (remotely, as in an airline terminal, bank lobby, or street corner?) -- and then to search, match, identify and log the presence of these consumers/citizens at this or that place -- our culture will inevitably get more constipated and the freedom of our anonymity will be cramped (albiet, a protected place may be "safer," as some will argue.) Hey, no one said the future was going to be easier to live than the past;-) This record-keeping has been an obsession of modern governments since the French Revolution, and only if we keep explaining and making the impact of the technology a political issue -- as in the way computer-monitoring can cut the cost of a $70,000 typical wiretap to a few dollars, vastly increasing the capability of government to listen to more, quite cheaply -- can citizens grasp what is at stake and strive to defend themselves and the next generation. Random thoughts, shared for comment. Suerte, _Vin "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A thinking man's Creed for Crypto/ vbm. * Vin McLellan + The Privacy Guild + <vin@shore.net> * 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548