EyePhones packing Iris-scanning authentication to go mainstream ABI Research analyst Marina Lu has picked iris scanning as "one of the safest" means to secure user identities on smartphones. The Singapore-based researcher says the Samsung Galaxy Note 7 released last month will help spread the technology and increase adoption of mobile payments. Lu says the biometric authentication …
I mean you literally have it right in your face. It's on _every_ photograph of your face. You cannot hide it easily in real life. You cannot even change it in case someone got a copy of it.
On the other hand, it's trivial to fake it and fool even the most sophisticated iris scanners. It's an utterly stupid way to authenticate anything...
However we are talking about payments. Payment providers are not worried about security. Fraudulent transactions will, at worst, cost them nearly nothing, and at best they can sack the transaction fee.
Iris is "better" in the minds of mindless tech analysts because it is new, and fingerprints are now old. In a few years, when someone decides to use a voiceprint authentication on a phone, that will be the new hotness, and what you want instead of tired old fingerprint or iris recognition.
The only purpose for iris recognition would be that you wouldn't have to actually touch the phone in a particular place, and it would work when you are wearing thick gloves in the winter (but not if you have sunglasses, so it has its downsides) I suppose the best of both worlds would be either, but of course that makes it easier for an attacker as they have two ways to compromise my phone, depending on whether it is easier to lift my print or my iris.
Like all biometrics, once stolen, security is gone forever. The push for biometrics also comes from Law Enforcement & the intelligence services because even in places like the US where the 5th Amendment protects one from having to divulge a password (even if a judge were stupid enough to sign a warrant compelling one to), one has no such protection from having to allow them to take fingerprints, iris scans, DNA, or any other physical measurement (biometric).
Unchanging -> also the case with a fingerprint (barring injury in either case)
Completely unique -> also the case with a fingerprint
As for protected, I guess the idea is that it is easy to lift your fingerprint off a glass or whatever, but how is an iris protected? The camera a Note 7 is using costs only a few bucks and is able to read your iris from a couple feet away (at least, not sure of the distance but if you have to hold the phone 6" from your face it is utterly useless so I'll assume that's not the case)
If you are willing to spend a few hundred dollars on a high resolution camera, or just put a tiny telephoto lens on the tiny one from the Note 7, you could read the iris from across the room - you just need to get someone to look at it. How to do that? Hide it next to a TV, or build it into the jacket a woman with nice cleavage is wearing as she walks around the room and you'll get the iris of everyone in that room before long. Or show them something on your phone, if you can't be bothered to plant a camera somewhere...
Quite.
Another issue is that the data representing your iris (or fingerprint, face, arseprint, or whatever other biometric could potentially be used) has to be stored. If the fools are adamant on doing this then, like passwords, that data should be salted and hashed.
But because of the apparent belief that this stuff is somehow secure and can't be 'stolen' I fear that there will be some systems where this isn't done - and if such a system is ever breached, that's the raw biometric data in the hands of crooks.
Yes, that is a problem. Touch ID on the iPhone stores information only in the secure enclave of your phone, it is never sent to Apple or backed up to iCloud, and doesn't even store your actual fingerprint but rather a representation of it.
But if you used a fingerprint on some other system that didn't have those protections, and what is essentially a scan of your fingerprint gets out, then you can probably use it to bypass Touch ID. You can switch to a different finger for Touch ID, but eventually you'll run out...
"You can switch to a different finger for Touch ID, but eventually you'll run out..."
Does Touch ID work regardless of angle? For a time, I used a Samsung fingerprint sensor but swiped my finger sideways (had to stop when support was mangled in Marshmallow).
Obtain a selfie of the person, zoom in, hold your phone to their phone, don't even need a printer.
Even better, unlock their phone, take a photo of their lockscreen which has a selfie of them on it, then flip your phone around and show it right back.
Even better, unlock their phone and hold a mirror above it. Facial recognition.
But, haven't defeated the iris scanner on my phone.
I used a good photo, taken with the phone of course. I tried different distances, close, far, both eyes, one eye. Obviously tried letting others look at it too.
The thing is, the phone emits IR radiation so it doesn't use visible light anyway. It works in the dark, better than in bright sunlight in fact.
It also uses a 3D sensor array thingy that prevents anything flat from fooling it, I think it mans that a fake eye has to present in 3D and match in IR light.
I would imagine a retina scan is superior but that is not the point.
My phone has a PIN which has to exist, it is required if you restart the phone and obviously may be used as an option at any time.
Anyone that takes your phone and could 'make' you look at it could also 'make' you enter the PIN, i.e. by force. Anyone willing to use physical force, will presumably march you right to a cash machine at least or even make you transfer money from your bank, the value or otherwise of your actual phone is largely immaterial.
If you remove force from the equation you have casual thieves, your nosey/suspicious spouse/partner and law enforcement as possible entities trying to gain access.
In the UK at least, not aiding law enforcement to access your device is punishable by a very severe jail sentence, definitely only worth withholding if you are a very serious offender, with evidence on the device *and* you think they could not crack the PIN or security anyway given time - it may be legal to *force* someone to open their eyes and look at a device although I am uncertain at best whether they can compel that here at least.
So my phone is locked against casual thieves, *does* have good protection against biometric copying, considerably better than fingerprint devices I imagine, and has the aforementioned ability to be unlocked when wearing gloves etc.
The downside is that the phone might need the lock removal prior to driving, unless you use the Sat Nav which keeps it from locking anyway. Using the iris scanner anywhere but at a red traffic light is dubious since you have to look at the phone for about a second. Having a BT-enabled car means it does the calls and texts etc. even while locked though so this is less of an issue. What you can't do is start the Sat Nav while already driving, using Cortana, because she politely asks you to unlock your phone first. Tapping a PIN is fine, if you are alone in the car.
It is not great in bright sunlight so shielding ones eyes might be required, it is then just easier to use the PIN.
It is just a little slower than fingerprint scanning, or even a PIN if you tap fast I think.
But, like a fingerprint scanner, you can unlock your device without hiding it from people.
I imagine my device will not get the use of it for ID, banking or purchases however, since it is a WinPhone, will just keep waving an NFC card about I think.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
