Eye wouldn't be to worried about this if eye where the cops...
Eye will be going now.
Fujitsu has released a smartphone that it claims is the first in the world to use iris scanning to replace passwords or fingerprint readers. Youtube Video The Fujitsu Arrows NX F-04G, first displayed at Mobile World Congress earlier this year, comes with the usual accoutrements you'd expect in a smartphone. It has a 5.2-inch …
There were articles floating around here on El Reg a few years ago reporting exactly that. Iris scanners of the day could be fooled by taking a photo of someone with a modest camera, printing out their iris with a hole cut for the pupil and presenting that in place of the actual person.
Though to be fair this is meant to be for unlocking a mobile, not for safeguarding a nuclear bomb...
Which is fine as long as you don't have your nuclear bomb launch app installed on a phone "protected" by iris authentication.
In this day and age it's only a matter of time. Who wants to carry around a suitcase full of launch codes ? How very 1950's. Soon there'll be an app for that. You can betchyalife.
Can you just use a photo of your iris? Because that's really not secure at all.
I think it's too early to tell, but in my opinion you're looking at a clever volume test of new technology that Fujitsu is developing, smartphones are a really quick way to do a mass rollout of something that is still subject to improvement. In case you didn't know, Fujitsi also develops sensors for palm recognition, and how these work may give a clue as to why eye recognition may actually work.
For a start, these are depth readers, so they look "beyond" your skin for vein patterns, and a picture won't do. Next, they had to simplify analytics already as the original ones produced so much data that a pass/fail took seconds (if I recall correctly the first ones took well over 10 seconds) so they may have found a new balance between resolution and security and may have ported all that learning to this phone and iris scanning.
I'm now entering the realm of speculation, but I think it's plausible to assume that this eye scanner may look for vein patterns instead of iris matrix. They may swell up after a night out, but AFAIK the pattern doesn't change (anyone with a medical background? Is this correct?). Alternatively, few are focusing on iris recognition of late, so Fujitsu may have come up with something new.
As for how to use that, there are already various deployment models out there that don't require your biometrics to travel off the device - you'd just use a locally stored hash of the biometrics to open a credentials strongbox in the phone (which is where all the more traditional challenges hide :) ).
So, based on past performance, I reckon this may indeed be interesting enough to keep an eye on, so to speak :)
Does it matter? A swipe pattern or 4 digit PIN isn't secure either, and can often be figured out just by looking at the smear pattern on the screen. Many people still just use the "swipe left to unlock" thing, because all they want is something to stop them accidentally pressing things while their phone is in their pocket, not a security feature to prevent people with physical access to the hardware from being able to hack it. Sure, biometrics (at least as presented so far) are not good enough for real security, but they're still harder to fool than the most common measures currently in use. Getting a picture of someone's eyeball is more difficult than noticing the picnic table shaped smear in the middle of their screen.
Anyone who thinks biometrics like this will solve all our security problems is obviously wrong, But anyone who thinks that just because they won't solve all our problems they must be completely useless is just as wrong. Is it more secure and/or more convenient than other common measures? If so, it doesn't have to be perfect in order to be useful.
I find by far the biggest flaw is one that hardly seems to get a mention - I don't want to have my phone locked to my person. If I'm driving, for example, it's quite handy to get someone else to mess around with music, satnav, etc.. I don't care how secure biometrics might be if it means I can't let someone else use my phone. Hell, facial recognition and iris scanning mean even I can't use it if I'm in a situation where I can't stick the phone in my face for some reason (again, skipping music while driving is a common situation, or even just turning the screen off until I reach the part of the journey where I actually need directions).
WHAT ABOUT PEOPLE WITH TERRIBLE MEMORIES?
There ARE people for which even a PIN code or password is extremely difficult to remember. Maybe they have SO many credentials on a regular basis they keep getting them mixed up. I know every so often I forget a password or get passphrases mixed up ("Now what that CorrectHorseBatteryStaple or PonchoSombreroBandito? Or maybe BanditoPonchoSombrero?")
How do you secure a device when you can't remember?
Really ? I call bullshit on this claim.
How do such people manage with banking and other apps that require PIN codes ? How have these people survived in a world of ATM's and "Chip and PIN" ? A smartphone is a choice, and one that is far more easily avoided than any number of other aspects of modern life which demand such "astonishing" feats of memory.
Besides, the suits aren't marketing such technology as a "convenience feature" or solving problems for amnesiacs around the world. It is sold as being more secure. It aint.
Yes, but frankly all I want is a casual lock, to stop the kids doing stuff.
And they aren't nearly sophisticated enough (at 4 and 6 years old) to bypass TouchID - they would however easily copy a PIN, they would see me log in often enough...
The way I stop other people getting into my stuff is to keep it with me, I don't leave it on a train or a taxi, or on a bar for half an hour...
Physical security is something that most people have some grasp of - it's certainly easier to get right...
Oh - and a remote wipe is always an option as well.
As others have pointed out, it suffers from the same flaws as fingerprint scanners in that it is not all that secure and you can't revoke a compromised finger or iris.
But even to the convenience factor that is the main point behind Touch ID, it is nice because you can automatically unlock the phone as you pick it up so it is instantly ready. Not so if you have to focus your eyes onto the camera in order to unlock it. Granted that's not much time to wait, and is still quicker than a PIN/password but with a simple touch unlock it is a lot more fluid and doesn't require you to look at it - i.e. when my girlfriend sends a quick text under the table at dinner because she knows I'll give her crap about it if I see the phone :)
It already existed. The company went bust when they tried to sell it to banks who were passionately not interested in a device that was miles better but costed 4x of what they were paying current providers. The tech was brilliant, but the people leading the company were utter morons who should not have been allowed to manage a wet paper bag.
Given the pitfalls of daily living that could cause this thing to fail to identify/authenticate... I'm tickled I'm not going to support this phone. Having a irate high up who had to have the latest toy and now it won't let him into it will be a tech's nightmare.
Disclaimer: I'm a tech. I'll support 800 company PC's and the 100 Laptops but not 10 smartphones. There's just not enough at my local site to bother getting proficient.
Ok, so the iris scan alone could be defeated. What if it's in tandem with a PIN/pass/pattern, which cannot be entered until your NFC key is within range? That's potentially three locks and the user still only has to do the work of getting past the PIN/pass/pattern lock because the other two are just automatic. Sounds pretty good to me.
This is a shocking violation of privacy and anonymity.
People just have no idea. They accept the user agreement (by 'turning on' the phone, as defined by the agreements), then are distracted by the 'benefits' of the technology without even being educated as to just what this means for their civil liberties and autonomy long term.
Our phones (first fingerprint Home buttons, now this) are becoming the ultimate trackers, stalkers, snoopers, and government loggers that the system couldn't be more happy about in their wildest dreams.
George Orwell would be ROLLING in his grave. His ideological vision was spot on but even his imagination didn't think of biometric sensors literally uniquely identifying and digitally branding our BODIES (not just humans observing our faces), feeding this to the system complete with precise geo-location 50 times a day, day in day out!
WAKE UP PEOPLE - IS THAT REALLY SOMETHING YOU WANT JUST SO YOU CAN UNLOCK YOUR PHONE OR MAKE AN APP PURCHASE 5 SECONDS QUICKER???
As batteries slowly become better and CPU technologies and chips (and the leading software) become more and more efficient, and storage/networking capacity increases also, and the fact that metadata gives a GREAT deal of data (unique UUIDs pertaining to your body's biometrics) in just a few tiny bytes of data, means surreptitious tracking (all hidden in 'proprietary IP' encrypted closed-source code) ALREADY is trivially possible by our modern devices and we've seen too many leaks and controversies to not believe it is SIMPLY HAPPENING (or, you should just assume it is) because if there's anything we've learned from Snowden, it is that what CAN be done WILL be done (conpiracy-wise) - if it is scientifically dmeonstrably possible and 'the people' can be kept 'blissfully' ignorant of it.
They won't kill people openly on the streets - they won't open oppression that actually causes discomfort - because that is 'seen', that is 'felt' - and history has shown that enough of that will only make 'the people' rise up and overthrow you, replacing YOU with THEM. (And so on and so forth.)
But whatever's 'what they don't know won't hurt them' (and furthermore, oppression that you EVEN LIKE - Bread and Circuses) is precisely where they WILL do what CAN happen - technologically - so it is up to US to be vigilant (if we even care) about having INDEPENDENCE from this corrupt system more and more akin to 1984/Brave New World every day.
Forget about laws. This is reality we're talking here, not disneyland.