You hold your smartphone in front of your face, the angle and distance guided by on-screen feedback. It flashes near-infrared (NIR) light into your eyes — a brief dull-red glow. Your smartphone recognizes one or both of your irises, and unlocks itself.
At least, that’s the new smartphone login scenario. Previously seen mostly in military devices and fixed installations, iris scanning is joining other biometric authentication methods (such as fingerprint scanning, facial recognition and voice recognition) intended to move mobile devices beyond the limitations of password-based security.
How it works
The iris is the colored ring in the eyeball between the central pupil and the sclera (the outer white area). It contains muscles that control the aperture of the pupil along with interlaced ligaments of connective tissue.
While the color of the iris is determined by genetics, the patterns in the ligaments are created by random tissue folding during gestation and are unique to each eyeball. The odds of any two irises being identical has been calculated to be one in 10 raised to the power of 78. Barring injury, the patterns remain stable through life, unlike faces, voices and even fingerprints.
“There are 225 different points of comparison that are unique to each iris, compared to 40 on a fingerprint,” says Patrick Moorhead, analyst at Moor Insights & Strategy. “So iris scanning can be more accurate. And fingerprints get worn, calloused, and dirty — and in winter you have to wear gloves.”
So it’s no wonder that smartphone vendors are adding iris scanning capabilities to their new devices. As of this writing, smartphones with iris scanning included the Microsoft Lumia 950 and 950 XL, the Samsung Galaxy Note7, the Fujitsu Arrows NX-F-04G, the ZTE Nubia Prague S, and the new HP Elite x3.
As for how they work, published specifications and responses from corporate spokespeople are sketchy — for a reason. “No one is very boastful about how secure they are, since it would make them a target for black hats,” says Moorhead. “They want to keep it a mystery. The more people you tell the details to, the less secure it will be.”
Less reticent is Daehoon Kim, founder and CEO of IriTech, a Virginia-based maker of stand-alone iris scanners and component modules for smartphones.
“Due to advances in [image] capturing technology, iris scanners no longer require dedicated and bulky camera sensors and lens,” he says. “Instead, high quality iris images can now be captured using CMOS sensors, with negligible extra cost for an NIR LED.”
NIR light is needed for iris scanning because it consistently captures the textures of both light and dark irises, and shining an NIR light into the user’s eyes does not cause the discomfort that shining visible light into the eye causes, Kim adds.
Vendors add a third camera to the unit (i.e., a second one on the user-facing side) for iris scanning, explains analyst Ville-Petteri Ukonaho of Strategy Analytics, because standard digital cameras include infrared-blocking filters that would defeat NIR iris scanning. (Digital cameras are more sensitive to infrared than the human eye; without the filters, colors would be distorted, the sky would look dark, and foliage would have an ice-like sheen due to its high infrared reflectivity.)
A camera with VGA resolution (640 x 480 pixels) is sufficient to scan an iris, but to register both eyes simultaneously a higher resolution (usually 5 megapixels) is common, Kim says.
As for the possible dangers of flashing NIR into the users’ eyes, “There are none that I know of,” says Ukonaho. “The amount of infrared light is no more than would be received by walking outside on a sunny day.”
The power of the IriTech NIR LED is about 2% of the power allowed by government safety standards, Kim adds.
A Samsung spokesperson states that the company’s NIR LED turns off if the unit senses that the user’s eye is too close to the scanner, or if the NIR LED is on for more than nine seconds.
Security is initialized using both eyes but (except for the Fujitsu unit) subsequently only one eye is needed to unlock the device, Ukonaho says. Users with normal glasses can wear them during later logins but should take them off when initializing, while clear contact lenses are not an issue during either initialization or later log-ins.
However, some sunglasses, especially mirrored ones, and colored contact lenses can defeat scanning, Ukonaho continues. Other sources have admitted that glasses with scratched, high-diopter or progressive lenses can also defeat infrared scanning.
Additionally, scanning in direct sunlight can be a problem since the iris may be obscured by bright reflections on the overlying cornea, Ukonaho adds. Kim says his units have been able to control the problem with a proprietary combination of software and lens filters.
As for accuracy, Ukonaho gives the false acceptance rate (FAR, when someone other than the owner is able to log in) for iris scanning technology at one in 1.2 million, and the false rejection rate (FRR, when the owner is unable to log in) as “very close to zero.” For fingerprint scanning, FAR is usually about one in 100,000 while the FRR is about 3%, he adds.
Another example of the accuracy of iris scanning can be found in India. The Unique Identification Authority of India (UIDAI) has been conducting an on-going effort to give each of India’s 1.2 billion citizens a unique identifying number, backed by both iris and fingerprint biometrics. In 2015, the UIDAI tested ten different mobile iris scanners from different vendors, scanning 3,300 citizens who had already been enrolled to see if they could be matched in the government database. Accuracy (meaning they could be matched) averaged 99% and was as high as 99.76%. Failure to scan averaged 0.1% and was as low as 0.03%.
By the way, don’t be afraid that someone will get into your smartphone by showing it a photo of your eye. In theory, iris scanners cannot be spoofed using a picture or model of an eye (or by the movie cliché of an enucleated eyeball) since the scanners actually use short videos rather than still images, and so can spot the normal fluctuations of a live eye, explains Ukonaho.
Unlocking a device involves comparing the iris of the would-be user to the description of the iris created during initialization, in a manner similar to that used by other biometrics. Frank Dickson, an analyst at Frost & Sullivan, notes that when a password is stolen, you can change that password. But if biometric data is stolen, you’re defenseless, since there is no way you can change your biometrics.
Consequently, the approach used by the vendors is the one advocated by the FIDO Alliance (FIDO stands for “Fast IDentity Online”): Keep the biometric data within the device and never post it online. Brett McDowell, executive director of the FIDO Alliance, explains that FIDO requires that biometric data and authentication remain restricted to a co-processor on the device called the Trusted Execution Environment (TEE). Electronic wallet software also typically resides in the TEE, he adds. Since the encrypted representation of the scanned iris (and fingerprint or other biometrics) remains in the TEE, he says, there is no online repository of credentials that hackers can raid, as happens with passwords.
All the major vendors of smartphones with biometrics are either FIDO compliant or have equivalent technology and intend to become fully compliant, he says.
Steve Brasen, analyst at Enterprise Management Associates, notes that one in 11 enterprise-owned mobile devices is lost or stolen every year, and a thief could break in by figuring out the device’s password, or (if it uses a fingerprint scanner) by potentially lifting the user’s fingerprint from its exterior. But with iris scanning the hacker would have to both steal the phone and then make a surreptitious iris scan of the owner.
“It would take a covert operation to even attempt a surreptitious iris scan — you’d be getting into the James Bond world,” Brasen adds. But he also predicts the appearance of “eye-scan phishing” devices in public places that will attempt to get iris scans through false pretenses.
Meanwhile, there have been no reported cases of biometric descriptions being stolen, Dickson says.
Moorhead is more cautious about iris-based security. “Every biometric security implementation needs to be examined by third-party researchers, and that has not happened yet with iris scanning. But iris scanning should be the wave of the future if it’s as good as they say,” says Moorhead.