The following text is copyright 1998 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

It's so hard to know you

By Scott Bradner

The biggest problem yet to be solved in the area of computer and network security is figuring out a sure way to determine who a particular user is. Most users of computer technology are not individually identified beyond having physical access to a PC. This is far from sufficient in business environments or on the Internet. In these cases most users prove their identity by knowing a few facts. Knowledge of a logname and password, often buried deep in some auto-login script, is all that differentiates one user from another. If you use a system like this and if I were to find out your logname-password combination I would be able to pretend to be you. A pretense complete enough that your systems could not keep me from doing anything that you are permitted to do.

Many approaches are being tried to augment this loose level of identification. Most common is the use of physical tokens along with some piece of knowledge. ATM cards are a simple example of this. Someone stealing your card would not be able to use it without knowing the associated PIN. One problem with this type of system is that people can lose their cards. It would seem to be ideal to be able to use something that the individual would have a very hard time losing, a body part for example.

There has been a lot of work on biometrics, the technology of using physical characteristics to identify individuals. All sorts of systems are currently available using fingerprints, voice recognition, hand profiles, and retinal scans. (You've seen the retinal scan units, you look into a little hole and if you are not the right person it pokes you in the eye.) A consistent problem with biometrics systems is a high reject ratio, they tend to misidentify people too often.

In the early 1990s John Daugman, then a Assistant Professor at Harvard, showed me the results of some experiments he was working on involving trying to use scans of irises to identify people. He showed that this could produce very reliable identification. Since then John moved to Cambridge University, in the Cambridge across the pond, and perfected his ideas. His technology compresses the information about an iris to only 256 bytes permitting easy storage and scanning of databases of large numbers of individuals. His technology is now starting to show up in the marketplace.

Iris scans seem like a good candidate for this function since they are much more definable than are fingerprints and do not change as people age. (It is also a bit harder to alter ones iris if one wants to hide his or her identity.) One additional advantage is that iris checkers can include a light that varies in intensity to normalize the pupil diameter, which can make the categorization even more accurate, and at the same time will ensure that Joe is still attached to his eyeball. Attempting to login with dissociated body parts could be a problem with fingerprint or hand profile systems.

disclaimer: Other than in the med school, Harvard does not look longingly at eyes, i.e., the above are my own observations.