Skip to content
Naked Security Naked Security

“Look at me” – forget fingerprints, here comes a Samsung tablet with iris recognition

US research institute SRI has inked a deal with Samsung to build a tablet with built-in iris recognition. Samsung's S5 fingerprint reader was cracked PDQ...wonder how long your eye-prints will hold up?

A press release just issued by SRI International suggests that future Samsung mobile devices may be moving towards iris recognition for biometric authentication.

Details are scant, but the gist of the release is that SRI has just concluded an exclusive licensing deal for its Iris on the Move (IOM) technology with Korean electronics giant Samsung.

SRI was originally called Stanford Research Institute, and is a spin-off from the prestigious Stanford University.

SRI is perhaps best known in recent times for a spin-off of its own that was named after it, at least phonetically: Siri.

Siri – amusingly, an anagram of Iris – was bought by Apple in 2010, and is now the core of Apple’s dictation system on OS X and iOS.

Unsurprisingly, Apple’s acquistion of Siri brought development of the Android and Blackberry versions of the product to a halt.

Now, it seems, SRI has a foot back in the Android camp following the announcement of this agreement with Samsung.

IOM’s debut

The IOM system will debut to the mobile market, says SRI, in a customised Samsung Galaxy Tab Pro 8.4 tablet.

Interestingly, the marketing photo in SRI’s press release suggests that the first outing of iris recognition will not replace fingerprint reading as a means of letting you log in to your own device.

The photo shows the user of a mocked-up tablet pointing the rear-facing camera at someone else’s face from about 30cm away, rather than looking into the device’s front-facing camera herself.

The tablet’s screen shows an image of the target, with zoomed-in details of his eyes underneath.

In other words, it looks as though the primary application will be to help security staff identify other people, much like an Automatic Number Plate Reader (ANPR) camera identifies passing vehicles.

How it works

Iris recognition uses an image of the surface of the eye, analysing and classifying the image based on the appearance of the iris itself.

The iris is the pigmented part of the eye, responsible for controlling the diameter of the pupil and thus the amount of light entering the eye.

Like a fingerprint, each iris is supposed to be unique in respect of the patterns in it, so with enough detail, an iris “eye-print” ought to be a strong identifying factor.

Indeed, SRI claims, though without linking to any evidence, that its “purely iris-based solution [is] more than 1,000 times more accurate than published fingerprint data.”

That may be so, but the question nevertheless remains, “Can it be fooled?”

After all, the fingerprint reader in Samsung’s S5 smartphone fell to crackers pretty quickly after it was launched.

In that attack, the researchers didn’t even have to start from scratch.

Apparently, they simply re-used a wood-glue fingerprint replica they’d made six months earlier when they were trying to crack the fingerprint reader on Apple’s iPhone 5s.

Latex eye, anyone?

Image of iris from Wikimedia, courtesy of Smhossei. (Licence: CC BY 3.0.)


From what I’ve read, it’s still pretty secure. Unless of course, a hacker were to obtain the generated code created by the iris, reverse engineer it, and then cosmetically engineer a match, they may succeed. NIST has shown in 2012 that iris scanners are 90-99% accurate. Other research has shown that the iris actually changes over time. “2.5 iris scans in 2 million will be incorrectly matched after three years.”

If the match is at least 90% accurate and the code is <3 years old, sounds like they might have a hack. Otherwise, you might be better off reenacting the Minority Report.


(Your numbers are incommensurate. On one hand you’re suggesting that iris scanners might have error rates as high as 1 in 10. On the other hand you are talking about error rates of 1 in a million. I don’t think those numbers really belong together.)

It’s not so much about how well an iris recogniser can match the image of an iris. It’s how accurately it *rejects* an image of an iris that wasn’t captured right now from a living, walking, talking person.

After all, an iris scanner works by analysing an image of your eye. So, what if you show it an image to start with (e.g. a hi-res photo), rather than a real, live eye?

What if you buy one of SRI’s existing IOM products (such as the handheld ones that are sold to the police for ID checks at traffic stops), open it up and check out the optics it to figure out exactly what quality of image it needs?

Perhaps that’s why the marketing material doesn’t show the tablet identifying you to let you log in, but instead shows you using the tablet to help identify someone else. Perhaps it needs the additional human input to confirm that it was a real person being scanned?


Most biometric systems can be tuned to adjust the false accept rate and false reject rate depending on your needs. (In banking this is sometimes known as the fraud and insult rates).

In summary. If you can tolerate a high false reject rate, you can have a correspondingly low false accept rate, or vice versa. In some applications you want a very low false accept rate, but if you tune your system to be so strict that there are lots of false rejects then people will start ignoring & working around it.

For example, suppose you are using Iris scans as a security measure on the employee entrance of your jewellery factory. You might be tempted to tune the system to have the lowest false accept rate possible, but if that means that one in ten of the incoming shift each day get rejected then it will be easy for a villain to convince the security guard on the door to let them in anyway.

In the case of Iris scans there is a third factor, which is if the subject is cooperative, and if you can control your environment. So if you want to identify everyone in passing crowd, (A bit like in the film Minority Report), then a lot of scans will fail due to sunglasses, hats and the like, but if you have cooperative employee who wants to gain access to a secure area, then you can ask them to remove their glasses, push aside their hair, and look into the scanner.

Overall, with Iris scans, the equal error rate, for cooperative subjects is about 1 in a million, which makes it the best biometric available by a large margin.


But is iris scanning 1000x better than fingerprint scanning *assuming an unsupervised scan*, as happens when you use an iPhone’s TouchID scanner to log you in?

What stops me just presenting an image of the owner’s iris?

Granted, you don’t leave iris images on every glass surface you touch, like you do with fingerprints. But SRI’s IOM product range already includes portable iris scanners that can work at a distance – their IOM advertising blurb shows a ruggedised, handheld law enforcement version that seems to show a police officer scanning a driver’s iris through the (open) passenger’s side window.

So you might imagine that a handheld camera could, with a bit of good fortune, acquire an iris image from a potential victim (e.g. in a hotel lobby, at a conference dinner, on a station platform), without their knowledge or co-operation, at sufficient resolution to present to the iris scanner…and once I had that good-enough-quality image, what stops me using it to trick another iris scanner, assuming no human to spot that I wasn’t looking into the lens myself?

As memtioned in the article, it doesn’t look as though the proposed use of the iris scanner is to replace fingerprint scanning for logging in to the device itself…


Honestly, I don’t care for the fingerprint recognition on my phone. It’s fine on my mini tablet which rarely leaves my home but the phone doesn’t handle it well.

As for iris recognition, I see problems down the road. Yes, each individual has a unique iris. However, I foresee numerous issues with that. You get hit in the eye and have to wear an eye patch for a few days. Meanwhile, some hacker is lurking near by and sees this happen. Before you know it, your phone is hijacked and if your not smart enough to keep your banking info off of your phone, you have a big problem!

I agree that hackers will find a way to break any barrier but I’ll keep with putting in my code when I’m outside my home rather than use a fingerprint or iris identifier.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!