By Lamont Wood
Sept. 9, 2016
Another example of the accuracy of iris scanning can be found in India. The Unique Identification Authority of India (UIDAI) has been conducting an on-going effort to give each of India's 1.2 billion citizens a unique identifying number, backed by both iris and fingerprint biometrics. In 2015, the UIDAI tested ten different mobile iris scanners from different vendors, scanning 3,300 citizens who had already been enrolled to see if they could be matched in the government database. Accuracy (meaning they could be matched) averaged 99% and was as high as 99.76%. Failure to scan averaged 0.1% and was as low as 0.03%.
By the way, don't be afraid that someone will get into your smartphone by showing it a photo of your eye. In theory, iris scanners cannot be spoofed using a picture or model of an eye (or by the movie cliché of an enucleated eyeball) since the scanners actually use short videos rather than still images, and so can spot the normal fluctuations of a live eye, explains Ukonaho.
Unlocking a device involves comparing the iris of the would-be user to the description of the iris created during initialization, in a manner similar to that used by other biometrics. Frank Dickson, an analyst at Frost & Sullivan, notes that when a password is stolen, you can change that password. But if biometric data is stolen, you're defenseless, since there is no way you can change your biometrics.
Consequently, the approach used by the vendors is the one advocated by the FIDO Alliance (FIDO stands for "Fast IDentity Online"): Keep the biometric data within the device and never post it online. Brett McDowell, executive director of the FIDO Alliance, explains that FIDO requires that biometric data and authentication remain restricted to a co-processor on the device called the Trusted Execution Environment (TEE). Electronic wallet software also typically resides in the TEE, he adds. Since the encrypted representation of the scanned iris (and fingerprint or other biometrics) remains in the TEE, he says, there is no online repository of credentials that hackers can raid, as happens with passwords.
All the major vendors of smartphones with biometrics are either FIDO compliant or have equivalent technology and intend to become fully compliant, he says.
Steve Brasen, analyst at Enterprise Management Associates, notes that one in 11 enterprise-owned mobile devices is lost or stolen every year, and a thief could break in by figuring out the device's password, or (if it uses a fingerprint scanner) by potentially lifting the user's fingerprint from its exterior. But with iris scanning the hacker would have to both steal the phone and then make a surreptitious iris scan of the owner.