On the surface, this looks as though it might be convenient: from grade 6 parents will be able to track their children’s every move from the time they leave the house until they return (unless they skip school, in which case they’d presumably be notified, too).
It would be useful for businesses to control admission to facilities, stores to verify credit card users (or eliminate credit cards completely), and buses, trains and airplanes to allow only verified, paid passengers on board. This could be a big win for people — it might even reduce identity theft. I’m all for that having been a victim myself.
What am I talking about? I’m talking about iris scanning, a form of biometric identification that is increasingly being used for authentication. Iris scanning has been used for some time in high-security facilities. It is now making its way into schools.
If you’ve been following this blog or if you’ve taken Learning Tree Course 468, System and Network Security from me, you probably know that I’m a proponent of biometric authentication. But there are drawbacks. Two of the greatest of these are the issues of false acceptance and false rejection.
False acceptance is the positive authentication of an individual when the individual should be authenticated. Likewise, false rejection is the refusal of a system to authenticate an individual who should be authenticated.
These issues are easy to think about when considering fingerprints: a cut in a finger might trigger a false rejection, and a fake fingerprint might trigger false acceptance. There are ways to mitigate many of those fake fingerprint attacks, of course.
Iris scanning can be defeated, too. One way, surprisingly, is a paper face with a good image of the eye. This post by Bruce Schneier discusses defeating iris scanning and the comments below it add good insight. The post also points out that one can wear “fake irises” to create false rejections.
In terms of false rejection, eyes tend to deteriorate, too, but scheduled re-enrollment may address that issue. False negatives may also occur due to poor quality images taken at the point of authentication.
Biometric authentication through iris scanning is a valuable tool. It has its downfalls, too, and those must be considered by those deploying it. If proper countermeasures are deployed to limit false acceptance and false rejection, it can be useful in high security situations. I’m just not sure I want it used to track people cradle-to-grave.