Note: This is a “classic” Interesting Thing of the Day article from over 10 years ago. It has not been edited recently, so it may contain broken links, outdated information, or other infelicities. We plan to eventually update or retire most classic articles, as time permits.

How many passwords do you have? For the average computer user, the number can range from dozens to hundreds. It seems like every time I turn around another Web site asks me to come up with a password; I need them to get access to bank accounts, utilities, discussion boards, travel reservations, and countless other services. Security experts tell us that you should never use the same password twice, that passwords should never contain words found in a dictionary, and that they should include combinations of upper- and lowercase letters, numbers, and special characters such as punctuation. Wow. I try to follow this advice for the most part, but the more secure and diverse I make my passwords, the harder they are to remember. A forgotten password is useless, and if I write it down, I take a risk that someone will find it. As long as someone can guess or steal my passwords, my money and important data are vulnerable. The same goes for PINs used to get money from ATMs or codes used to unlock doors and gates. A few months ago I needed to make a deposit into a bank account I rarely use, and although I had my card with me, I had forgotten my PIN and had to return home to look it up on the notice my bank sent me way back when. My money was safe, all right—even from me!

The basic question a password attempts to answer is: Are you who you claim to be? I can walk up to a bank teller with a name and account number, but if the teller doesn’t know me personally, he has to have some way to confirm my identity. Photo ID and signatures are often used for this purpose—on drivers’ licenses, passports, credit cards, and checks. But photos and signatures are relatively easy to forge, and they do little good when conducting business over the Web. This is why, increasingly, companies and governments are turning to biometric data—measurements of some aspect of the body—to solve problems of identification and authentication.

The best-known form of biometric data is the fingerprint. Fingerprints are unique from person to person, and therefore a good indicator of one’s identity. Fingerprints can be scanned electronically, too, so it should be fairly easy for a machine to use a fingerprint to identify someone. Unfortunately, some fingerprint scanners can be fooled in one way or another, and although newer models run additional checks to make sure the finger is—ahem—alive and attached to a body, there is always going to be a certain fear of password amputation. Furthermore, a cut or burn on your finger can throw off a fingerprint scan, and a small percentage of people have no readable fingerprint at all. For these reasons, other means of biometric identification are being developed. Fingerprints, after all, are not our only unique features. Hand geometry, facial structure, voice patterns, and other characteristics can be measured by a machine to help identify a person. But the latest word in biometrics is the iris scanner.

The Eyes Have It

The human iris has more individuating characteristics than a fingerprint, meaning the mathematical probability that two people could have exactly the same pattern is much, much smaller. Your left and right irises are also different from each other, and even identical twins have distinct iris patterns. All this means that iris recognition should be, in theory, virtually 100% accurate. Perhaps just as important as accuracy is convenience. Unlike a fingerprint scanner, an iris scanner does not require contact. In some cases you can be standing several feet away. To oversimplify somewhat, an iris scanner consists of a special digital camera that focuses on your eye and snaps a picture. The meaningful patterns of iris variation are then extracted from the picture and compared against the patterns stored in a database. All this happens in just a few seconds. So instead of inserting a card, punching in a password, or flashing your photo ID, you can identify yourself almost instantly simply by looking in the right direction. Nothing to carry, nothing to remember.

If this sounds like the answer to all your password problems, that could very well be the case…eventually. The current crop of iris scanners has not yet achieved anything near their theoretical accuracy, and they can sometimes be thrown off by very dark brown eyes—or even by tears, long eyelashes, or contact lenses. As developers iron out the bugs, iris scanners are likely to become much more common in banks, airports, and other businesses, not to mention desktop computers.

Looking for a Bargain?

However, iris scanning can also be put to more nefarious uses. As the technology improves, iris scanners will be able to identify you from greater distances—and potentially without your knowledge. In the film Minority Report, people of the not-too-distant future are bombarded by customized billboards and advertising, targeted at them based on surreptitious eye scans. This is not even slightly far-fetched. More worrying, the fictional government of the film tracks the identities and whereabouts of all its citizens by frequently scanning their eyes, leading to a creepy, Big Brotherish atmosphere that is all too easy to imagine. On the other hand, we probably don’t need to worry that someone could remove one of our eyes and use it to fool a scanner. Even today, iris scanners can check for appropriate pupil contraction as a safeguard.

The iris is not the only part of your eye that can be scanned to provide biometric identification. The technology to perform retina scans has been around even longer, and depending on whom you ask, is sometimes considered even more accurate than iris scans. But retina scans are harder to perform because the camera has to be very close to the eye. Retina scans also require more elaborate and expensive equipment, not to mention greater patience and cooperation from the person whose eye is being scanned.

Come to mention it, “person” is too narrow a word when it comes to iris scanning. The technology is now being used as an alternative (or, in some cases, a supplement) to branding or tattooing as a means of identifying horses and cattle. Apart from the challenge of getting livestock to hold still and look at a camera for a few seconds, iris scanning is just as effective on non-human eyes. And I say it’s about time: if you’ve ever seen a cow struggling to use an ATM, you know the importance of better accessibility. —Joe Kissell

More Information

The National Center for State Courts has an excellent Web site on Individual Biometrics that provides technical background, history, and usage details for every major form of biometric technology, including iris scans.

Other sources for information about iris scans:

  • You can find a thorough and well-written discussion of iris and retinal scans, including the pros and cons of each, on the Iris and Retinal Identification page at Western Carolina University’s Automatic Identification and Data Capture site.
  • The International Biometric Group’s Iris Recognition Technology page (free registration required) has detailed information on iris scans.
  • Iridian Technologies is a major patent holder and developer of iris-scanning products.
  • Face-scanning, fingerprinting ATMs gain ground by Laura Bruce at covers the growing use of biometrics in ATMs as a replacement for PINs or passwords.
  • Eyes may unlock future by Frank Witsil at QVoice (makers of desktop biometrics products) discusses several biometric methods, including iris and retina scans.
  • An article in The Register by Lucy Sherriff, Cry to beat iris scanners, details concerns over how a certain iris scanning system can be thrown off by watery eyes, long eyelashes, and contact lenses.
  • Iris scans take off at airports by Michael Meehan in Computerworld talks about the use of iris scans for identifying airplane passengers and crews.
  • An article by by Tim Cordes, DVM on Equine Identification discusses using iris scans as one means of identifying horses.
cover art

If you have a Windows-based computer and an extra $200, you can use iris recognition technology today to eliminate typing passwords, using the Panasonic Authenticam Iris Recognition Camera.

cover art

In Minority Report, Tom Cruise plays a police officer in the future who finds and apprehends people who are about to commit homicide. This film, directed by Steven Spielberg, provides an eerily believable view of the future, and one that includes ubiquitous eye scanning as a means of identification, advertising, and control.