How many passwords do you have? For the average computer user, the number can range from dozens to hundreds. It seems like every time I turn around another Web site asks me to come up with a password; I need them to get access to bank accounts, utilities, discussion boards, travel reservations, and countless other services. Security experts tell us that you should never use the same password twice, that passwords should never contain words found in a dictionary, and that they should include combinations of upper- and lowercase letters, numbers, and special characters such as punctuation. Wow. I try to follow this advice for the most part, but the more secure and diverse I make my passwords, the harder they are to remember. A forgotten password is useless, and if I write it down, I take a risk that someone will find it. As long as someone can guess or steal my passwords, my money and important data are vulnerable. The same goes for PINs used to get money from ATMs or codes used to unlock doors and gates. A few months ago I needed to make a deposit into a bank account I rarely use, and although I had my card with me, I had forgotten my PIN and had to return home to look it up on the notice my bank sent me way back when. My money was safe, all right—even from me!
The basic question a password attempts to answer is: Are you who you claim to be? I can walk up to a bank teller with a name and account number, but if the teller doesn’t know me personally, he has to have some way to confirm my identity. Photo ID and signatures are often used for this purpose—on drivers’ licenses, passports, credit cards, and checks. But photos and signatures are relatively easy to forge, and they do little good when conducting business over the Web. This is why, increasingly, companies and governments are turning to biometric data—measurements of some aspect of the body—to solve problems of identification and authentication.
The best-known form of biometric data is the fingerprint. Fingerprints are unique from person to person, and therefore a good indicator of one’s identity. Fingerprints can be scanned electronically, too, so it should be fairly easy for a machine to use a fingerprint to identify someone. Unfortunately, some fingerprint scanners can be fooled in one way or another, and although newer models run additional checks to make sure the finger is—ahem—alive and attached to a body, there is always going to be a certain fear of password amputation. Furthermore, a cut or burn on your finger can throw off a fingerprint scan, and a small percentage of people have no readable fingerprint at all. For these reasons, other means of biometric identification are being developed. Fingerprints, after all, are not our only unique features. Hand geometry, facial structure, voice patterns, and other characteristics can be measured by a machine to help identify a person. But the latest word in biometrics is the iris scanner.
The Eyes Have It
The human iris has more individuating characteristics than a fingerprint, meaning the mathematical probability that two people could have exactly the same pattern is much, much smaller. Your left and right irises are also different from each other, and even identical twins have distinct iris patterns. All this means that iris recognition should be, in theory, virtually 100% accurate. Perhaps just as important as accuracy is convenience. Unlike a fingerprint scanner, an iris scanner does not require contact. In some cases you can be standing several feet away. To oversimplify somewhat, an iris scanner consists of a special digital camera that focuses on your eye and snaps a picture. The meaningful patterns of iris variation are then extracted from the picture and compared against the patterns stored in a database. All this happens in just a few seconds. So instead of inserting a card, punching in a password, or flashing your photo ID, you can identify yourself almost instantly simply by looking in the right direction. Nothing to carry, nothing to remember.
If this sounds like the answer to all your password problems, that could very well be the case…eventually. The current crop of iris scanners has not yet achieved anything near their theoretical accuracy, and they can sometimes be thrown off by very dark brown eyes—or even by tears, long eyelashes, or contact lenses. As developers iron out the bugs, iris scanners are likely to become much more common in banks, airports, and other businesses, not to mention desktop computers.
Looking for a Bargain?
However, iris scanning can also be put to more nefarious uses. As the technology improves, iris scanners will be able to identify you from greater distances—and potentially without your knowledge. In the film Minority Report, people of the not-too-distant future are bombarded by customized billboards and advertising, targeted at them based on surreptitious eye scans. This is not even slightly far-fetched. More worrying, the fictional government of the film tracks the identities and whereabouts of all its citizens by frequently scanning their eyes, leading to a creepy, Big Brotherish atmosphere that is all too easy to imagine. On the other hand, we probably don’t need to worry that someone could remove one of our eyes and use it to fool a scanner. Even today, iris scanners can check for appropriate pupil contraction as a safeguard.
The iris is not the only part of your eye that can be scanned to provide biometric identification. The technology to perform retina scans has been around even longer, and depending on whom you ask, is sometimes considered even more accurate than iris scans. But retina scans are harder to perform because the camera has to be very close to the eye. Retina scans also require more elaborate and expensive equipment, not to mention greater patience and cooperation from the person whose eye is being scanned.
Come to mention it, “person” is too narrow a word when it comes to iris scanning. The technology is now being used as an alternative (or, in some cases, a supplement) to branding or tattooing as a means of identifying horses and cattle. Apart from the challenge of getting livestock to hold still and look at a camera for a few seconds, iris scanning is just as effective on non-human eyes. And I say it’s about time: if you’ve ever seen a cow struggling to use an ATM, you know the importance of better accessibility. —Joe Kissell