The following text is copyright 1998 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

It's so hard to know you

By Scott Bradner

The biggest computer and network security problem yet to be solved
is coming up with a sure way to determine who a particular user is.

Most computer technology users are not individually identified
beyond having physical access to a PC. This is far from sufficient in
business environments or on the Internet.

In these cases most users prove their identity by knowing a few facts.
Knowledge of a log name and password, often buried deep in some
auto-login script, is all that differentiates one user from another. If
you use a security system like this and if I were to find out your
logname-password combination, I could pretend to be you. Your
system would not be able to keep me from doing anything that you
are permitted to do.

Many approaches are being tried to augment this loose level of
identification. Most common is the use of physical tokens along with
some piece of knowledge.

Automated teller machine cards are a simple example of this.
Someone stealing your card would not be able to use it without
knowing the associated personal identification number. One problem
with this type of system is that people can lose their cards. It would
seem to be ideal to be able to use something that the individual would
have a very hard time losing, such as a body part.

There has been a lot of work on biometrics, the technology of using
physical characteristics to identify individuals. All sorts of systems
are available using fingerprints, voice recognition, hand profiles and
retinal scans. (You've probably seen the retinal scan units - you look
into a little hole and if you are not the right person it pokes you in the
eye.) Unfortunately, a consistent problem with biometrics systems is
that they have a high reject ratio - they tend to misidentify people too

In the early 90s John Daugman, then an assistant professor at
Harvard University, showed me results from some of his experiments
involving the use of iris scans to identify people. He showed that
these scans could produce very reliable identification.

Since then, John has moved to Cambridge University across the
pond, and perfected his ideas. His technology compresses
information about an iris to just 256 bytes, permitting easy storage of
the data and scanning of databases holding information on large
numbers of individuals. His technology is now starting to show up in
the marketplace.

Iris scans seem like a good candidate for computer and network
security since they are much more definable than fingerprints and do
not change as people age. (It is also a bit harder to al- ter one's iris if
one wants to hide his or her identity.)

One additional advantage is that iris checkers can include a light that
varies in intensity to normalize the pupil diameter. This can make the
categorization of people even more accurate as well as ensure that Joe
is still attached to his eyeball. Attempting to log on with dissociated
body parts could be a problem with fingerprint or hand profile

Disclaimer: Other than in the medical school, Harvard does not look
longingly at eyes, i.e. the above are my own observations.