Second, while the iris can be used for biometric identification, so can the retina. People are identified by their blood vessels in their eyes. But there are complications, according to the Biometrics Institute:
“Retina recognition is one of the most accurate biometric applications but a number of common eye conditions and diseases (for example, cataracts, diabetes, glaucoma) can affect the arrangement of the blood vessels and consequently alter the pattern used for biometric recognition.”
While much of the world continues to play football, American “football” wrapped up this month at the professional level with the “Commercials, Concerts, And a Sports Show”(tm).
During the game, New England Patriots quarterback Drake Maye threw two interceptions, or throws that were received by players on the opposing them (the Seattle Seahawks).
But what if Maye were throwing iris templates? And what if the defending Seahawks used the intercepted data in injection attacks?
Bet you didn’t think I was going there.
Iris template replay attacks
Facial data (from companies such as FaceTec and iProov) isn’t the only type of data that can be protected by injection attack detection. You can inject data from any type of biometric to bypass the capture device.
One type of injection attack is a template replay attack. It works something like this:
For this example assume that I am a legitimate subject and an authorized user, and the biometric workstation captures my iris.
Rather than sending the entire iris image to the server, it converts the image into a template, or a much smaller mathematical representation.
The biometric workstation transmits this template to the server. BUT…
The evil fraudsters use some type of malware to intercept my iris template and save it for future mischief. Unfortunately, unlike a football interception seen by over 100 million people, no one realizes that this iris “interception” happened.
Later, when a fraudster wants to gain access to the biometric system, they perform an injection attack. Rather than capturing the fraudster’s iris at a workstation and sending that template to the server, the fraudster performs a “replay” and “injects” my intercepted iris template into the workflow.
The server receives my iris template, thinks I am accessing the system, and authorizes access.
The fraudster does bad things.
Iris template replay attack detection
How do you prevent an iris template replay attack?
First you have to detect it. Perhaps the system can detect that the template is not from a current iris capture, or that the template originated somewhere other than an iris workstation.
Once you detect it, you can reject it. Fraudster denied.
Of course this applies to any biometric template: fingerprint, face, whatever.
Injection attack detection, when implemented, is just another tool embedded in the biometric product.
Biometric product marketing expert. Look at his eyes.
I missed this January story. Apparently World installed an iris-reading Orb inside a San Francisco Gap store…for better visibility.
“At Gap, we believe in originality, authenticity — what makes us human,” the plaque reads. “That’s why we’re partnering with World, to bridge the gap between humans and technology.”
However, it seems to be a visibility stunt. Gap doesn’t care whether its clothing is purchased by humans, and it would be delighted to sell individuals multiple pairs of jeans, even if they had previously purchased a pair.
An interesting item popped up in SAM.gov. According to a Request for Information (RFI) due February 20, the FBI may have interest in a system for secret biometric searches.
“The FBI intends to identify available software solutions to store and search subjects at the classified level. This solution is not intended to replace the Next Generation Identification System Functionality, which was developed and implemented in collaboration with the FBI’s federal, state, local, tribal, and territorial partners. The solution shall reside at the Secret and/or Top-Secret/SCI level with the ability to support data feeds from external systems. The solution must allow the ability to enroll and search face, fingerprint, palmprint, iris, and latent fingerprints, and associated biographic information with a given set of biometrics.”
Now remember that the Next Generation Identification (NGI) system is protected from public access by requiring all users to adhere to the CJIS Security Requirements. But the CJIS Security Requirements aren’t Secret or Top Secret. These biometric searches, whatever they are, must REALLY be kept from prying eyes.
The RFI itself is 8 pages long, and is mysteriously numbered as RFI 01302025. I would have expected an RFI number 01152026. I believe this was an editing error, since FBI RFI 01302025 was issued in 2025 for a completely different purpose.
Whatever the real number is, the RFI is labeled “Classified Identity-Based Biometric System.” No acronym was specified, so I’m self-acronyming it as CIBS. Perhaps the system has a real acronym…but it’s secret.
If your company can support such a system from a business, technical, and security perspective, the due date is February 20 and questions are due by February 2. See SAM.gov for details.
Bredemarket works with a number of technologies, but it’s no secret that my primary focus is biometrics. After all, I call myself the “biometric product marketing expert,” having worked with friction ridge (fingerprint, palm print), face, iris, voice, and rapid DNA.
The biometric product marketing expert in the desert.
If I can help your biometric firm with your content, proposal, or analysis needs, schedule a free meeting with me to discuss how I can help.
“In Jordan, the apparel sector relies heavily on a large migrant workforce, many of whom lack access to bank accounts and remain unbanked. Wage payments have traditionally been cash-based…”
To facilitate cash payments to unbanked apparel workers in Jordan, IrisGuard stepped in with its EyePay product.
“Cairo Amman Bank (CAB) Jordan…has launched a national-scale biometric cash salary payment network for unbanked workers.
“With just a simple iris scan, employees can securely access their wages instantly, without the need for a bank account, PIN, or physical ID.”
I don’t think this is tied to an iris-based time and attendance system, but that is the obvious next step.
Bredemarket 