A Boston hotel called Nine Zero is using biometric iris scanning to replace room keys, allowing guests to gain access to their rooms with just a quick flash of the eyeball. Using a system from LG, first-time guests have a picture of their iris scanned, which is quickly encrypted to a hashed numeric code and the source image deleted (meaning they don’t keep a copy of your iris on file, just the results a scan of your iris would provide). Because the data can be held on to indefinitely, returning guests can make reservations and gain access to their rooms without ever talking to a clerk, booking a room by email and getting their room number in response.
Your Iris is the Key [HotelChatter]
Dan Kaminsky, who would know about such things, has this to offer:
It is repeated that hashes generated by biometric systems cannot be reversed back into the biological component to be recognized in the future. This claim is false. Several researchers have noted that biometric algorithms, implementing fuzzy matches against fundamentally noisy data, must inherently make their decisions with some level of confidence. While the level of confidence is usually exported to administrators to determine how precise the system has to be to allow or reject a given candidate, it can also be used by an attacker to discover whether a given small change in a sample biometric element (say, making a person’s lips wider) makes that person look more or less like the hashed target. This approach is generally devastating, and has been used to great effect to attack fingerprint readers (http://chris.fornax.net/biometrics.html) and face recognizers (http://www.site.uottawa.ca/~adler/publications/2003/adler-2003-fr-templates.pdf).
Irises are not likely to be an exception.
