Last year, a video posted by German hackers the Chaos Computer Club (CCC) made headlines around the world by revealing the dangers of iris scanning. The group successfully defeated Samsung’s Galaxy S8 smartphone's iris-recognition security feature less than a month after it went to market.
A security measure with an inherent risk
Using a dummy artificial eye, CCC easily unlocked the phone. The hack raised many concerns around the added security threat of such technology stemming from the fact that irises tend to be, by their very nature, very exposed.
“The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris“, said CCC spokesman Dick Engling in a blog regarding the hack.
Now, Mateusz Trokielewicz at Warsaw University of Technology in Poland and his colleagues have come up with a system that may prove a solution to the technology’s inherent risk. The team undertook a rather creepy experiment that saw them train a machine-learning algorithm to scan a database of iris scans from living and deceased people and distinguish the differences with 99% accuracy.
The system employed the Warsaw BioBase PostMortem Iris dataset which includes 574 near-infrared iris images collected from 17 individuals from five hours to 34 days after their death. The team contrasted that data with 256 images of live irises they collected.
To ensure the system was not influenced by different cameras, the researchers used the same iris camera used on the cadavers. They further evaluated the dataset for any obvious bias in the images that may affect the algorithm.
“No post-mortem sample gets mistakenly classified as a live one, with a probability of misclassifying a live sample as a dead one being around 1 percent.”
One issue they found was that the eyelids of deceased people are held open by retractors changing the way the irises photograph. To eliminate this possible bias, the researchers cropped the images very tightly so that only the irises showed.
Their work proved successful in the accurate detection of deceased versus live irises. “No post-mortem sample gets mistakenly classified as a live one, with a probability of misclassifying a live sample as a dead one being around 1 percent,” further stated the paper.
Could it apply to fake irises?
The research, although promising, does not tackle the issue of artificial irises. It could be speculated that if a system can detect a deceased iris from a live one it may be able to detect a real one from a fake one as well.
Iris scanning is an in-demand technology with many such as Samsung touting its benefits. "Iris authentication is one of the safest ways to keep your phone locked and the contents private," says Samsung's Galaxy S8 page.
In fact, Samsung just last month announced they would be replacing their fingerprint security technology with iris scans for their Galaxy Tab S4.
If Trokielewicz and his team can prove their algorithm can be as efficient in detecting fake irises, they would see their product become very commercially viable.
The paper was published on the preprint server Arxiv.org.