What do air travelers, teachers, children and even convicts have in common? They are all voluntarily or involuntarily undergoing “iris scans.”

Travelers bypass long security lines at the airport through Fly Clear, a service where subscribers obtain a biometric card with a scanned image of their iris. Teachers undergo iris scans with the data retained in their board of educations’ databases, while convicted felons are submitted to scans so they are easily identified if they recommit a crime. In addition, local police precincts offer iris scans on children through a national project that assists identifying missing children.

If your role involves reviewing security and access controls of your client’s or employer’s information technology assets, then you should be familiar with biometrics. As more organizations seek to add another layer to their arsenal of identity and access management measures, biometrics – specifically iris scan technologies – requires a review to ensure it adheres to organizational and regulatory standards with regard to the collection of data, storage, use and disposal. The primary objective for users of this technology is to reduce and eliminate security risks; the CPA IT professional’s knowledge in this area will help in assessing risk and control.

“Biometrics” is derived from the Greek words bios for life and metron for degree. Biometrics measures and analyzes human physiological and behavioral characteristics, including fingerprints, eye retinas, irises, voice patterns, signatures, keystrokes, DNA, vascular patterns, facial patterns and hand measurements. To secure our borders, minimize risk of terrorism, measure a person’s identification, control access to confidential and prohibitive data, and counter surveillance measures, biometrics – or more specifically Iris Recognition Technology (IRT) – eliminates or reduces these risks.

The effort makes logical sense when you assess the complexities organizations face with tracking and tracing individuals in an efficient manner. However, how secure is the technology and does it invade your privacy?

Three Phases of IRT Technology

1.     Enrollment

As with any other systems’ development life cycle, the definition, construction and implementation phases would be executed during this period. In order for Iris Recognition (IR) to be an effective tool, a quality system with the proper controls must be achieved.

The first and most important component begins with data enrollment. Without a seamless, accurate enrollment, authentication at a later stage would be impossible. Enrollment is the process of creating the eye templates of the sample group for storage in a database. The images can now be linked for authentication.

An IR camera captures a black and white picture from a distance of five inches to two feet. These cameras operate at different distances depending on the manufacturer’s style, while using technology similar to the infrared beam used in a television remote control. This emitting beam is barely visible and safe.

Once the black and white image is captured, the “trabecular meshwork” (elastic connective tissue of the iris) is encoded through demodulation with specialized mathematical software to create an IrisCode template. The software localizes the inner and outer boundaries of the iris, making sure there are no discrepancies with eyelashes, eyelids or other barriers. According to SANS Institute, “The demodulation process uses functions called 2-D wavelets that make a complete description of the iris pattern that only consist of 512 bytes of data.” This template is then stored in a database or on a smart token for later authentication. The template is often encrypted to eliminate the possibility of identity theft.

2.     Authentication

Similar to other biometrics, IRT is based on pattern recognition and pattern capturing methodology using video camera technology. This makes authenticating quick and painless. A live image is compared against previously enrolled ones to see if the system finds a match in the database. The decision threshold is automatically adjusted for the size of the search database to ensure that there are no false matches.

3.     Management and Integration

According to LG Electronics, “IRT is ideal for applications handling large databases based on its design to work in the 1-n or exhaustive search mode. Devices such as LG’s IrisAccess platforms integrate well with large database backends like Microsoft SQL and Oracle 8 and 9. This flexibility makes it ideal to manage large user groups, such as large government agencies or a national documentation corporation. While IR was initially designed to work in one-to-many search mode, the technology is now suited for applications that require one-to-one matching, or verification mode.”

Iridian Technologies, a market leader in IRT, developed products for easy integration with existing infrastructure: the KnoWho server, KnoWho Authentication Developer’s Suite and PrivateID applications. During recognition, the KnoWho server accepts an iris image (IrisCode) template and performs a high-speed, real-time, exhaustive search to match an existing IrisCode template. Once the match is found, it is given a unique identification number, the only label needed to match a request for authentication with a stored IrisCode template. Basic information, such as names, addresses or even privileged information, can be stored and secured elsewhere for remote retrieval.

The development suite is available with tools to enable application-building based on PrivateID and the KnoWho authentication server. This suite consists of KnoWho Authentication Server Software Developer’s Kit (SDK), PrivateID Recognition Demo Application, Computer Associates eTrust Iris Authentication Agent and Netegrity’s Siteminder Iris Authentication Agent.

Industries Using IRT

IR is used for productivity-enhancements, such as time and attendance records, just-in-time inventory control, sophisticated supply chain management, and even “coopetition,” where companies compete in some areas and cooperate in others. The technology is infiltrating its way to greater proportions to combat credit card fraud, identity theft and other security issues.

Based on its unique identification capability, the need to use this technology is growing in various industries, including healthcare, transportation, government agencies, public institutions, and the private sector – which all strive for security compliance.

Benefits of IRT

·         Accuracy and Uniqueness. IR is the most accurate and reliable of biometric technologies. Compared to finger and voice recognition, IR can streamline other procedures that are in place to expedite identity verification. Historically, IR has never had a false acceptance rate. An iris scan records 240 unique details – exceedingly superior than the seven to 24 details obtained in a fingerprint. The odds of being misidentified by an iris scan are about one in 1.2 million, and just one in 1.44 trillion if both eyes are scanned.

·         Human Intervention Factor. Human intervention is not required to establish limits or thresholds to accept or reject an eye scan. The use of the technology requires less human decision factors and interaction.
 

·         Authentication. The iris is very detailed and exhibits a distinct pattern. The chance of two iris (irides) being identical is unlikely. Research has confirmed that there is a high level of statistical reliability in the system.
 

·         Unparalleled Stability. The patterns and structure in the human iris are fully formed by 12 to 18 months of age. The pattern remains constant, barring certain degenerative diseases, until a few minutes after one dies.
 

·         Other Benefits. IRT is non-invasive and versatile. The technology does not expose the scanee to any energy source or retinal damage, and can be used in any environment where identity authentication is required. The versatility of the technology will enhance security, ensure service, and eliminate fraud and identity theft. IT increases school safety by monitoring access to school campuses, provides signature verification, credit card authorizations and replaces PIN numbers during the ATM banking process, not only to verify, but to maximize convenience.

Disadvantages

·         The technology can use a large amount of memory for the data to be stored. With future advances in technology, this setback can be overcome.

·         There are complex countermeasures in the design of the systems, progress on new generations and anti-tamper deterrents are parts of product development by the larger players.

·         The information obtained can be linked with other private pieces of data. What are the limitations that should be imposed on our private data being used for this technology? What access would other companies have to your information (e.g., selling data to telemarketers).
 

·         Another factor to consider is that if your iris scan data is accessed and manipulated by an unauthorized user; that data is forever comprised. It’s easier to change a bank account number or PIN, and start fresh, than it is to alter the imprint of your eye! A far more damaging scenario is an unauthorized user obtaining the data of several thousands of subscribers. How would a company compensate subscribers for this type of irresponsibility and unreliability?

·         In addition, people may voluntarily submit to an iris scan for personal reasons. Because of the proliferation of its use through various agencies, the potential exists for the information to be repurposed and used other than for its original intent. The recent requests for phone logs by the U.S. government to the telecommunications industry is one example of customers losing their anonymity.

Risks

There are a number of risks and privacy concerns related to IR that must be addressed prior to implementation:

·         Vulnerability – Can data be stolen or exploited?

·         Authenticity – Can the data be manipulated or tampered with?

·         Storage – Is the data maintained in a central location or dispersed throughout multiple sites?

·         Confidence – How reliable is the technology’s authentication process?

·         Linking – Will the data be linked to other sources that could possibly invade your personal privacy such as spending habits?

·         Ubiquity – How would you feel if you are being watched and your every move is being traced?

Setting the Standard

In today’s business and social environments, the need for secure authentication and verification is increasingly important. Passwords, PINs and token cards are security risks due to human nature; they can all be forgotten and compromised.

The uniqueness of IRT has emerged at the forefront of security that includes access and control, protection, and security. Low probability of false acceptance will contribute to using IRT. This technology provides a secure way for authenticating users on to corporate networks in a non-intrusive method with the speed required for minimizing user frustration.

Consumer and user buy-in is a must for biometrics to supplement or replace some of the traditional authentication methods. The marketplace will want assurance that biometric systems offer increased security and convenience without complicating transactions or risking unauthorized disclosure of personal information and that the data will not be used for other purposes other than its original intent.

In light of recent regulations set by 39 states and the U.S. federal government, safeguarding information is a top priority for all businesses, especially in the areas of data management and security, and the actions required by businesses that compromise their customers’ personal information. For CPA IT professionals that assess systems controls, these are challenging times.

Here’s looking at you, IRT!

Contact Joann David-Parrilla at jdavidparrilla@aicpa.org. Note that the opinions expressed here do not reflect an endorsement or recommendation from AICPA.