Iris-recognition-imaging outperforms fingerprinting

No two human-eye irises are identical, not even in the eyes of one person. This fact underscores the biometrics concept for a vision system that is gaining acceptance in security and surveillance systems as an access-control identification tool where tight security is critical.

Th Vsd51487 34

Iris-recognition-imaging outperforms fingerprinting

By Lawrence J. Curran, Contributing Editor

No two human-eye irises are identical, not even in the eyes of one person. This fact underscores the biometrics concept for a vision system that is gaining acceptance in security and surveillance systems as an access-control identification tool where tight security is critical.

Developed by IriScan Inc. (Mt. Laurel, NJ), System 2100EAC (entry access control) is catching on in security situations that require positive personal identification. This system has been licensed by several OEMs for use in

applications ranging from automatic-teller-machine (ATM) recognition to prison-inmate and visitor-security systems.

The system`s iris-recognition technology uses the unique and randomly formed features in the iris of a human eye as the key factors that allow access to a restricted facility. To "enroll" a person in the system, images of an iris are captured by a CCD camera from 10 to 12 inches away as the person stares into a camera lens. The data-capture process is similar to that of a standard camcorder. After image capture, the data are digitized, processed into an IrisCode--the clear identifier of the enrollee--and stored as the reference image for use when that person later seeks access to the restricted area.

Cletus "Boots" Kuhla, IriScan vice president and technical director, says absolute identification is accomplished in less than the two seconds required for a 4000-file exhaustive database search. Enrolling a person in the identification system takes about 30 seconds, and the accuracy is specified as one error in 1.2 million attempts.

System 2100 implements a distributed-processing network that includes a primary enroller/server unit. The host/server allows one-stop enrollment of the persons to be identified and subsequent downloading of IrisCode files to a computer located at the restricted portal node.

The system can work independently or as an integrated element of a host access-control system that also includes magnetic stripe card, smart card, keypad, or other host system. It can function in either stand-alone or networked mode and can accommodate as many as 24 stations on an Ethernet local-area network (LAN).

A typical system configuration consists of one primary server/host computer and one alternate server/host computer (see Fig. 1). The primary host is the repository of the master enrollment database. Each host interfaces with an optical unit during the enrollment process.

Hardware lineup

The System 2100 primary server/host includes a minimum 166-MHz Pentium-based computer running Windows NT, 32 Mbytes of RAM, a VGA frame grabber/VGA board, an Ethernet LAN adapter, and CD-ROM and floppy drives. The frame-grabber board connects to the optical unit over a video cable.

An optical unit is connected to each remote computational unit (RCU) for the recognition process. It contains a 1/3-in. monochrome CCD camera, an illuminator, and a liquid-crystal-display (LCD) monitor for image feedback to the user.

The illuminator uses a quartz halogen lamp and a 680-nm cutoff filter to aid in the optical unit`s image processing. An optimized illumination source allows the camera to generate the required video image of the iris.

The RCU can be mounted on a wall in a secure area near the portal node it controls. It contains a power supply, a relay board, and a PC motherboard. The motherboard contains an identical Pentium-based processor to the one in the primary server/host computer. The RCU`s motherboard also contains 3 Mbytes of flash memory, an Ethernet adapter circuit, and a video VGA/frame-grabber circuit.

The host/server performs user enrollment and distributes enrollment information to the remote units. The RCU performs the recognition function using the subset of the enrollment database and the TimeCode information downloaded to that specific RCU. The TimeCode file provides the RCU with information relating to the time and day a recognized person is permitted to enter a specific portal. If the recognition decision is made by the RCU and the TimeCode for a specific person is accepted, the RCU will command the opening of the door of a secured building or room.

Enrollment process

In enrollment mode, a preset number of eye images are captured and processed into IrisCode values. The IrisCode value from the "best" image (determined by criteria values contained in the software) is then chosen for entry into the database.

Once the identification information about the eye`s iris and the TimeCode data about the person to be identified are completed, an enrollment record is sent automatically to the applicable remote units. This process keeps the RCUs up to date, allowing immediate access to restricted portals by new enrollees.

In recognition mode, an image is captured and an IrisCode is generated. Next, the local database is searched for a match. If a match is found, a recognition dialog box is displayed that includes the recognized person`s identification information.

The RCU software runs under DOS and provides control over a portal using a local database. The local database is a subset of the master database and contains the enrollment records of those persons regularly requiring entry to that portal.

To gain restricted entry, a person initiates the recognition sequence by pressing the start pushbutton on the optical unit. An image of the presented eye is captured, an IrisCode is generated, and the local database is searched for a match. If a match is found and the TimeCode permits entry, a relay is activated that allows access to the portal. Moreover, an access event message is created, time-stamped, and sent to the host computer.

Core contributions

Three elements in the System 2100 embody IriScan`s core competencies: the iris-recognition software, the illumination source and camera lens, and the frame-grabber processor in the primary server/host and the RCUs. Kuhla says the recognition software is the enabling technology in the system.

The software comprises two segments--technical and administrative. The iris-recognition and image-processing software form the technical elements and are based on an algorithm patented by John Daugman in 1994. Daugman is currently a senior research fellow in biology at King`s College of Cambridge University in England, where he directs research in computation science (see "The roots of IriScan," p. 39).

The administrative elements--all developed by IriScan--comprise the Ethernet LAN software and the interfaces with other software platforms, such as the Windows NT and MS-DOS operating systems. IriScan uses Windows NT as the system software because of its inherent LAN support, but DOS is sufficient for the RCU function.

IriScan chose an Intel PC-based computer "because it`s the most economical for our platform," Kuhla says. Both the frame grabber and the frame-grabber motherboard processor are designed and manufactured for IriScan by IVA Corp. (Sudbury, MA). The Ethernet LAN circuits also reside on the motherboard.

The optical-unit-based illumination source/lens tandem, along with the frame-grabber processor, "all have to be optimized for the recognition algorithm to operate at the highest level," Kuhla says. A quartz halogen lamp is used for the illumination source "because it allows us to illuminate the structure of dark eyes," Kuhla explains. "We need sufficient energy to capture [that structure] with a standard monochrome video camera."

The CCD camera and lens are supplied by Computar Inc. (Commack, NY), the US representative for manufacturer Chugai Boyeki (America) Corp. (Seoul, Korea). Jim McHugh, IriScan senior engineer, says the camera and lens "met all our requirements--good signal-to-noise ratio, good resolution, and easy-to-deal-with people."

For the frame-grabber processor, IVA convinced IriScan it could do the best job of designing the frame grabber and processor. IVA also contributed expertise in the analog-to-digital (A/D) converters on the frame-grabber processor board.

However, IriScan did need help in porting the system software from Unix to C, and "IVA was able to do the whole (frame-grabber) job and the porting for us," McHugh adds. In fact, IVA designed and built the integrated Pentium-based primary server/host processor board, including the frame grabber, and the identical Pentium-based CPU in the RCU. One of the latter resides at each remote System 2100 portal.

IriScan built the first 100 of the System 2100, but has since outsourced assembly to Zober Industries (Croyden, PA). The total number built to date exceeds 200, Kuhla says. IriScan sells the System 2100 directly, as well as through distributors and OEMs who have licensed the technology. An RCU sells for $4400, and a host system with its software is priced at $6000. Kuhla says a typical system to date comprises a host with 10 remote units.

One OEM, Sensar Corp., has applied the iris-recognition technology in ATMs. Other OEMs include British Telecom, Daimler-Benz, Oki Electric Co., Lucky Goldstar, and Nippon Telephone and Telegraph.

Th Vsd51487 34
Click here to enlarge image

FIGURE 1. Typical System 2100EAC used in an Ethernet local-area network generally includes several remote computational units (RCUs) and optical units (OUs). Each RCU contains an illuminator, a CCD camera, and a lens, plus a frame grabber to record a person`s iris images for comparison to a master database of enrollees before access to a secure area is granted. An OU is connected to each RCU to execute the recognition process. It contains a 1/3-in.- format monochrome CCD camera, an illuminator, and a liquid crystal display monitor for image feedback to the user.

Th Vsd51487 35
Click here to enlarge image

Th Vsd51487 36
Click here to enlarge image

FIGURE 2. At the time of enrollment, eye images are captured and processed into IrisCode values (top). The IrisCode value from the "best" image (determined by criteria values contained in the software) is then chosen for entry into the database (bottom).

The roots of IriScan

IriScan grew out of Cletus "Boots" Kuhla`s experience with security technology, including biometrics, while he worked in the US Office of the Secretary of Defense in the mid-1970s and at an engineering consulting firm in the mid-1980s. This firm was approached by two ophthalmologists--Drs. Leonard Flom and Aran Safir--who held the conviction that a human-eye iris could be used for positive identification because, they claimed, no two eyes have identical irises. "We did a study that led to our suggesting that the doctors patent the concept," Kuhla recalls. Drs. Flom and Safir discussed their concept with John Daugman, a faculty member at Harvard University (Cambridge, MA), who volunteered to write the software that implements iris recognition.

Two patents cover the identification system. Flom and Safir got one for the concept of iris recognition as a means of identification, and Daugman received one for the algorithm and process that implements it. Daugman, Flom, and Safir then asked Kuhla and his associates to manage a company to bring iris recognition to the market, and IriScan Inc. was born. A German supplier of security systems to banks purchased the first system in 1995 to control access to a safety-deposit-box area.

A view from prison

One user convinced of System 2100`s effectiveness is Major Vince Sciotti, security supervisor at the Lancaster County Prison (Lancaster, PA). The prison purchased a system with one remote unit after a successful 90-day demonstration period that began in mid-1996.

Sciotti describes the system as "very reliable; we`ve had no misidentification problems." The facility uses the system to enroll prison inmates during inprocessing, linking their IrisCode with their inmate number. Then, whenever an inmate needs to leave the facility, for example, to go to court, a scan is done to verify that the inmate number and iris match before a security gate will open.

"We adopted the System 2100 because the iris is formed in the first year of life and never changes," Sciotti says. "We wanted something more reliable than fingerprints, which can be altered by an injury."

L. C.

Company Information

Chiugai Boyeki (America) Corp.

Commack, NY 11725

(516) 864-9700

Fax: (516) 864-9710

IriScan Inc.

Mt. Laurel, NJ 08054

(609) 234-7977

Fax: (609) 234-4768



IVA Corp.

Sudbury, MA 01776

(978) 443-5800

Fax: (978) 443-2298

Sesar Corp.

Moorestown, NJ 08057

(609) 222-9090

Fax: (609)222-9020

Zober Industries Inc.

Croyden, PA 19021

(215) 788-5523

Fax: (215) 788-2618


More in Boards & Software