X

A solid first step toward better password protection

Eyelock's iris scanning technology makes biometrics security more affordable to consumers, even if it needs a little time to mature.

Kent German Former senior managing editor / features
Kent was a senior managing editor at CNET News. A veteran of CNET since 2003, he reviewed the first iPhone and worked in both the London and San Francisco offices. When not working, he's planning his next vacation, walking his dog or watching planes land at the airport (yes, really).
Kent German
8 min read

In a world where almost every service we use requires one, keeping track of passwords is a pain. And as incidents like Heartbleed and the Bash bug have reminded us, neither are they completely secure. Solutions like password managers and fingerprint sensors aim to alleviate the problem, but it's difficult to strike a fair balance between security and broad affordability.

That's exactly what Eyelock is hoping to do with Myris, a new computer accessory that uses iris scanning to authenticate your identity. On sale today for $280 (Eyelock has yet to announce availability outside the United States), Myris can help control access to pretty much anything on your computer that requires a password, from Web sites to your machine itself. As your eyes go, it's cheaper and less invasive than a retinal scanner, but it's only as secure as you allow it to be. As long as you have a password in hand, you can skip the Myris completely. That loophole gives me pause about its almost-three Benjamins price tag, but I give Myris credit for making the technology more readily available. Give it time to mature, and it's a start to a more secure you.

The Myris lets you manage your passwords with your eyes (pictures)

See all photos

Inside your eyes

Though it's easy to confuse the two (I certainly did when I first heard of Myris), retinal and iris scanning have only your eye in common. With the former, a laser scans the blood vessel pattern of your retina, which is the nerve layer at the back of your eye. Expensive and complicated, it's a technology that we usually see in spy movies. As such, it pretty uncommon outside a corporate research lab, FBI headquarters or a super-villain's lair.

Iris scanning, however, focuses on your iris, which is the area at the front of your eye that gives it its color and controls the amount of light hitting the retina. Every person's iris is unique (even from each other) with 240 individual markers that give it a pattern. The Myris uses an infrared video camera to capture that pattern, save it (it doesn't save a photo of your eye) and associate it with your identity. According to Eyelock, a thief wouldn't be able to fool it with a photograph of your eye, and the chance of getting a false match with iris scanning is just 1 in 1.5 million. In contrast, the company says, other biometric technology like fingerprint, voice, and facial scanners have fewer markers to work with. And while DNA may even be more secure, who wants to prick their finger each time they check their bank account?

eyelock-9536-008.jpg
The Myris has a simple, elegant design. Josh Miller/CNET

Design

Eyelock says that it spent a lot of time thinking about the Myris's design and it shows. Indeed, I very much approve. About the size of a hockey puck, it measures 3 inches in diameter (76.2mm) and is 1.18 inches thick (30mm). It's top surface is covered in an attractive, light blue soft-touch material with a small Eyelock logo. It fits comfortably in my hand thanks to the rounded top rim, and it weighs just 3.2 ounces (90.1 grams). I asked an Eyelock rep if the company had considered making the Myris smaller to keep it even more portable, but he replied that research showed that most people preferred a device the size of an average adult's hand.

On the bottom, the Myris has a black translucent plate with a circular mirror near the center. Above that is the lens for the scanning camera. The sturdy USB cable is a generous 4.5 feet (1.4 meters) long and has a handy Velcro tie that will keep it from getting tangled.

eyelock-9527-005.jpg
Look into the small mirror to start the scan. Josh Miller/CNET

Getting started

Setting up the Myris is easy. You need only to take it out of the box and plug the USB cable into your desktop or laptop. Currently, Myris is compatible with Windows 7, 8, and 8.1, and Mac OS X 8.5 and 9.1. Linux support is slated for a future release. True compatibility with mobile devices is also to come as Myris has yet to support either iOS or Android.

After you plug in the cable, you'll be prompted to install the software, which takes just a few minutes. You'll then have to register your name and email, both within the software and on Eyelock's Web site. I'm uncertain why I had to register in both places, but it wasn't taxing. You can store up to five user identities on one Myris and move it between computers.

The software then asks you to create your unique Eyelock ID by capturing your initial iris scan. There's a video to show you the ropes, which is helpful since it took a few minutes to get the hang of the process (more on that in a minute). To start, you should hold the Myris about 8 to 10 inches away from your face while looking directly at the mirror. The color of the lighted ring surrounding the mirror will indicate the Myris's status. White tells you that it's ready to scan, blue shows that the scan is in progress, and green means that the scan is complete. If you see red, you'll need to try again. If you wear glasses you'll have to remove them for the initial scan only. On the other hand, you can leave contact lenses in, unless they're distinctly colored.

eyelock-9530-006.jpg
It may take a few minutes to complete the first scan. Josh Miller/CNET

Scanning your iris

The scanning process is remarkably dull, being most akin to taking an ID photograph. Besides the colored ring, two blinking red lights behind the bottom plate are the only indication that it's working. Though I like that the process feels so distinctly low-tech -- I doubt that anyone wants a laser shining in his eyes -- I also had some trouble knowing that it was working. For example, the colored ring would often alternate back and forth between white, blue, and green in just a few seconds. Though green does mean that the scan completed successfully, it was still confusing to see the Myris cycle through several status colors so quickly. Perhaps I was being too cautious, but a short tone to confirm the a proper scan would be helpful. And while software also tells you that you're all set, I didn't want to interrupt the scan by looking away from the Myris to check my laptop.

That's not to say that the scanning process didn't work. Almost every time it did, but some scans took longer than others. The instructions advise you to move the Myris toward and away from your as you take a scan, which did make a difference since the camera lacks an auto-focus. That said, I found it more critical to look directly at the mirror while holding it at the same level as your eyes. If I tried to look at it while looking down, up or to the side, I had more trouble. It was impressive, though, that it could complete a scan in a dark room. And in case you're wondering, Eyelock says it is possible to use Myris even if you have only one healthy eye. Of course, that's something I couldn't test.

Authorizing your accounts

Once you've installed the software and have registered your initial scan, you can begin linking your accounts to Myris. At present, you can use the device to control online access to an unlimited number of Web sites, but also to your computer's OS, applications like Windows Messenger and Skype, and startup programs. You can't use it with VPNs, system accounts or servers.

When choosing the Web sites option, popular services like Google, Facebook and Twitter are conveniently listed as options, but you aren't limited to just those three. Eyelock promises that you can add any site that require a password, like your bank or Amazon. Just note that while Myris supports Chrome, Explorer and Safari on both Mac and Windows, Firefox support is limited to Windows machines for now. Eyelock says Mac Firefox support will come later.

I was able to connect both my Google and Twitter accounts easily. Keep in mind that I used my home computer (a Lenovo Windows 7 laptop) since I'd have to involve CNET's IT department to use Myris on my work machine. When I selected the Twitter and Google options, the software opened the corresponding Web page before prompting me to enter my account information. After I did that, it then took another scan to establish the link.

When I tried to go back into either account after logging out, a popup window instructed me to use Myris to log in. Then, another scan was all it took to automatically populate the username and password fields automatically and log me in, Here again, the green light indicates a positive match. All in all, it was pretty quick and painless. And when I tried to fool Myris by scanning my husband's eyes, it wouldn't allow access (a red ring will indicate a false match). If you're using two-factor identification on a site, Myris cannot populate the auto-generated second field (naturally).

Eyelock says that all linked passwords are stored locally on the Myris device and not uploaded to the company's services. That will offer a stricter level of security, and the company says you can access them only through the software and another iris scan. That said, nothing is 100 percent safe so it's better not to lose your device. And if you do, you should reset any password associated with it (a smart move anyway when you lose a gadget).

One big loophole

As I mentioned, I was able to bypass the the iris scan simply by entering my normal username and password. If I did so, I'd see small message that said, "Please look at Myris to update your account info". Only another scan would make it disappear, but that message did not prevent me from reading and sending both emails and tweets. In other words, I could get full use out of both sites. Eyelock says that this is designed behavior, which makes makes me wonder what the point of Myris is if someone happens to obtain your password and your machine. Sure, I recognize the chance of that happening is small, but it's not something to disregard. Hopefully, we'll be able to see Eyelock's technology built into hardware at some point to make the iris scanning not so easy to bypass.

There were a couple of other quirks that were only mildly distracting. On a couple of occasions, I found that my computer didn't always register that the Myris was plugged in. Granted, that can happen with peripherals of all types. Restarting the software, unplugging the Myris and plugging it back in, or restarting my computer would set things right. Another minor quirk is that whenever I used Myris to log into my Gmail, it would automatically open another browser window with the Gmail log-in screen.

Outlook

After using Myris for a few days, I see its potential. It's a unique and promising technology, and I welcome an effort to deliver cheaper and and stricter security to consumers. Even with the time it took to learn the scanning process, it performed well without being overly complicated. Eyelock's technology is already used at the enterprise level, so the company has the depth of experience that builds confidence.

As long as you're ware of the easy way a scan can be bypassed, I could see the Myris finding a place with the security-conscious (which should everyone, really). Yes, you will need more than a few bucks to buy it, but I'm hoping that Eyelock can lower the entry cost in the near future.