Mobile Device Biometrics: The Eyes Have It

With so much of our banking and interactions taking place on our mobile phones, we still live with a false sense of security because it doesn't take much for someone to hack our phones. By using more unique identifiers — biometrics such as eyes, rather than passwords — corporations and banks may have a more secure way to authenticate our identity.

EyeVerify makes biometric technology which uses eye vein patterns. CEO Toby Rush says "no one can pretend to be you with an eye print. Most eye verification technologies lack 'liveness' detection. With EyeVerify, you can't fake it with photos or videos. You have to stand in front of your camera on any smartphone."

EyeVerify implements a vein biometrics system that only requires software and the device's camera. It allows mobile users to authorize transactions and access secure information. Using the camera on the phone, the software can determine 4 ROIs (regions of interest) in your eye, sending a pass/fail and a confidence interval. If it passes, you are granted access to the application. If it fails, access is denied.

EyeVerify segments images to find regions of interest (ROI). There are 4 ROIs to segment (left and right side of each eye).

The technology came out of academic labs in 2005, after Dr. Reza Derakhshani, University of Missouri-Kansas City (UMKC), and Dr. Arun Ross, West Virginia University (WVU) had developed the technology to identify people by their eyes. Rush saw an opportunity to commercialize it and decided to license the researchers' patent that uses the blood vessels in the back of the eye. As Rush sees it, it's a way for companies to build services that allow their phones to be secure without adding any hardware requirements.

Even in a BYOD scenario people can use personal phones and have biometric access to access corporate documents, Rush said. He also sees applications in healthcare, where doctors and nurses or patients can access their records. Or in online education, it can let teachers know who is taking the test. Even in logging into social networks such as Facebook, it can authenticate who is online. With EyeVerify, banking applications and others can use the 'liveness' factor for authentication. By using the camera, the software can detect if there's a person there depending on the focus and exposure and white balance.

Banking in particular could benefit from a more secure system. Most people don't like to use mobile banking because they have security concerns, Rush said, and EyeVerify can give them the confidence they need.

As we live our lives more online, protecting our digital identify becomes that much more important. Rush said that in emerging markets such as Nigeria and Indonesia, identity is the biggest issue in combating fraud. Biometrics are not expensive, but have had false starts in the past. For instance, biometric technology that used the retina as verification never really took off. Airports are using the iris and the color of the eye, but that requires an expensive hardware component.

"We are looking at the whites of the eye. For corporate applications for authentication, the user would hold the camera away from the face, look left or right and EyeVerify would process it in a few seconds. The software would respond to calling application and either confirm or deny who you say you are. The entire process takes about 4 seconds.

Security researcher Dan Kaminsky said, "Biometrics have long been seen as a possible solution to the authentication crisis, as we're all enrolled merely by virtue of having bodies. The field has struggled, however, due to problems of deployment (you have to have readers everywhere), accuracy (it's surprising how little uniqueness there is in voices and faces), and security (you leak your biometrics everywhere you go). EyeVerify is interesting in that they're leveraging the ubiquity of cell phones with high resolution cameras to solve the problem of deploying readers, and that they're using one of the few biometrics that is in fact highly unique, and thus effectively discriminates between many users. That being said, like all biometrics, you expose your eyes frequently and in public."

Another eye verification company called Iris Guard allows customers to conduct banking or buy and pay with their eye, claiming to eliminate identity theft and fraud. Iris Guard uses an iris biometric camera, rather than the whites of the eyes. Even 24 Hour Fitness is using fingerprints to identify people to cut down fraud and to save money on printing plastic cards. While there's no such thing as absolute security, using more unique ways of identifying that you are who you say you are will get us that much closer to fail-safe security. And with the popularity of mobile phones and good cameras in them, EyeVerify may be a step in the right direction. In general, people don't like having to go through inconvenience to lock down their phones, so they will have to make sure the process of verifying your eye is quick and easy to use. EyeVerify says that their iPhone version is done, and is in beta. The Android application will be completed this month.

Kaminsky casts some doubt on Rush's claim that eye prints can't be faked: "Their pattern can be captured surreptitiously, and replayed forever with no possibility of revocation. But if the only people who have to worry about hacking you are those who can get within a very short distance away -- realistically, that's something of a win. Liveness checking never really works. But it doesn't matter -- if their accuracy is reasonable, they're useful. (It can't work because the pattern is static and effectively 2D. But seriously, they just need to try.) Interestingly, they're slightly worse off than fingerprints, as high resolution photos of your fingers are rarely published while eyes may very well be."