You don’t have to read Japanese to glean Fujitsu’s point in the video ad for its new mobile phone: frowning, furrowed-brow people locked out after forgetting their passwords get smiley after their phones scan their irises to authenticate them and unlock.
Fujitsu is claiming that its new phone, the Fujitsu Arrows NX F-04G, is the first in the world to use iris scanning to replace passwords or fingerprint readers.
Iris scans are thought to be a worthwhile means of biometric authentication given that our irises are, as far as we know, unique.
Fujitsu might be the first to put an iris-scanning phone on the market, but it will probably be a close race, given that just about everybody in the mobile phone world is thought to be looking into iris scanning for authentication.
That includes Samsung, which isn’t using iris recognition for login, but instead seems to be looking to offer the feature on specially customised devices to help security staff and similar identify other people.
The Register reports that Fujitsu’s phone, first displayed at Mobile World Congress earlier this year, has a front-facing camera that doubles as a biometric iris scanner to replace passwords for operating the phone and its apps.
As the demo video shows, the software zooms in on the irises, matches them to the version stored internally, and then grants (or denies) access.
The Register’s Iain Thomson noticed that the camera specs seem a bit switched around: the back-facing camera has a 21-megapixel camera, while the iris-scanning front camera runs on a measly 2 megapixels, meaning “either the iris-scanning software is very good or someone at Fujitsu economized a little too much.”
At any rate, it is now time to sit back and wait for somebody to figure out how to trick this futuristic eyeball-scanning technology.
It will be interesting to see how long that takes, given that this and other forms of biometrics have already been bypassed with remarkably simple techniques.
One method comes from security researcher Jan “Starbug” Krissler of Germany’s well-known Chaos Computer Club (CCC).
You might remember Krissler from back in December, when he showed off a clone of the thumbprint of German defense minister Ursula von der Leyen, as created from photos of her hands, commercial fingerprint software, and glue or latex.
The CCC documented this technique for creating a “fake finger” back in 2004, and the CCC biometrics team claimed to have used it to also crack Apple’s Touch ID system in September 2013.
Krissler told Forbes that a related attack that uses high-resolution images – suitable photos of political leaders such as Vladimir Putin or Barack Obama are easily found in Google searches – can fool some iris scanners.
That opens up the door to the possibility of someone impersonating a cleared individual at, for example, a security checkpoint, by wearing a fake iris that portrays the pattern of the original trusted individual.
There are actually several ways to spoof an iris scan.
One way is a printed contact lens with a fake pattern placed directly on somebody’s eye.
Another method is a lens with a painted iris on it, and yet another is to surgically implant a colored iris in front of a person’s real iris: something done when people want to change their eye color, but also when they’re trying to hide their identity.
Then too, there’s chemically induced pupil dilation, taken to the extent that the iris pattern is rendered unrecognizable by a scanner.
Whatever the tricks available, I’m willing to bet that the CCC and others are already messing with Fujitsu’s new phone.
As always, we’ll let you know if we hear anything.
Image/video courtesy of nttdocomo.co.jp
wphilbrick@gmail.com
I feel like any of these biometric options will always need a backup like iOS and the fingerprint scanner. Until these technologies improve to the point there is NEVER a false positive or negative, a need will exist for alternative ways to identify yourself. However, this could serve immediately as an excellent two factor authentication, making your phone even more secure. It simply isn’t ready to replace passwords yet, in my opinion.
vineeth
Both fingerprint and iris scans seem to be very bad ideas. Wouldn’t it be better to just check voice print? You can be asked to recite a line so the only basic loophole will be technology that replicates one’s voice
Demarcus Clay
Doesn’t that pose the same vulnerability as discussed in this article? Take recordings that politicians have given and use software to mash up the speeches to say whatever the phone prompts for when “authenticating” the voice. Also, what if it’s a fixed statement that you say to your phone and someone records you saying it? Now they can simply play it back and your security is by the wayside.
Paul Ducklin
I think the real problem is that in terms of error rates, voice recognition has error rates worse than iris recognition.
Of course, if you want to prevent replay attacks, and you do so by presenting a unique phrase every time, then it seems you are asking for voice recognition (did the right voice say what was recorded) *and* voice transcription (did the voice say the unique phrase, or one it prepared earlier), which is doubly (quadruply? hard.
Chris
Assuming that there is no background noise? You’ll never be able to unlock your phone in a public location.
Paul Ducklin
UNLESS YOU SHOUT REALLY LOUDLY, AS WHEN YOU SAY, “I’M ON A TRAIN.”
Anonymous
What about if you have a cold or to much ale the night before or lose your voice?
To many ways for this to fail to be reliable.
David Pottage
I think this is a good idea, both because the equal error rate for iris scans is much better than any other biometric, and because it is much harder to make a recording to fool the scanner.
Consider an evil maid attack. For fingerprint scans she can dust the phone, or your room for prints, and use them to make a silicone finger that will fool most scanners. Likewise with voice unlock she could leave a bug to record the unlock password, and use it later. (using a different unlock phrase every time helps a bit, so long as the evil maid is not employed by GCHQ, who can use voice morphing tech).
But for an iris scan, someone would need to get in your face with a high quality camera to get a good enough picture. Most people would notice that unless they a politician or celebrity.
In other words, I think that this is a good biometric to unlock phones because it is effective against casual attackers, and uses an existing feature (the front facing camera) of the phone, rather than need a new sensor that will add to the cost.
Any security measure can be defeated by a sufficiently resourced attackers, the point is to invent something that will stop thieves, noisy flatmates and the like, while at least slowing down or making things expensive for state sponsored attackers.
Paul Ducklin
Good point.
As an annotation, the “equal error rate” is a sort of synthetic measurement for comparing two “pass/fail” technologies such as biometric scanners.
You adjust the settings unil the false positive rate (the “offender” rate – I let through a baddie) and the false negative rate (the “offended” rate – I blocked a genuine user) are equal. Then you see how well the thing performs.
This helps to avoid claims such as “this product is capable of a zero false positive rate”, which is trivially but uselessly true if you block everyone, or “offend your legitimate customers only once in every 1,000,000 uses with our product” which may require you to be dangerously ineffective against fraud.
As an observation, I am not so sure that with modern digital cameras it is *that* hard to get a decent iris image from a potential victim. If Fujitsu can do it with a mobile phone selfie camera – let’s assume it’s 2,000,000 pixel front-facing fixed-focus camera with a minuscule lens – then you might reasonably assume that a recent prosumer camera could do it from a few metres away. (I recently saw an ad for a Nikon camera with an 80x mechanical zoom and quite respectable light-gathering stats.)
David Pottage
If the phone camera is fixed focus, then I would agree with you, but it it is auto-focus, with a decent macro facility, then the user would be able to get it very close to their eye to get a much better iris scan than would be possible with any normal camera from a sensible distance.
For example, I dare say that with a bit of practice, you could hold the phone sideways about three inches from your face, to take a scan of your non-dominant eye, while looking at the screen with your dominant eye to frame the picture.
Paul Ducklin
Or you could skip the photo practice and just use a password :-)