To Fool This Iris Scanner, You're Gonna Need a Really Fresh Eyeball

Illustration for article titled To Fool This Iris Scanner, You're Gonna Need a Really Fresh Eyeball
Photo: Getty

When security systems rely on our unique human characteristics—like our fingerprints and eyeballs—techniques for circumventing those systems can be far more macabre than just guessing a password. If someone wanted to fool your iris scanner, for instance, all they really need is your eye. In light of that, a research paper published this month asks an important question: Is there a way to confirm a scanned eyeball is actually alive?


Once a sci-fi trope, iris recognition systems—which authenticate someone’s identity by measuring the colored circle of their eye—are becoming an increasingly common form of biometric security. So researchers in Poland recently examined whether a machine learning system could distinguish a living eyeball from a dead one. Their method was able to consistently differentiate the two—but not if the eyeball belonged to the very recently dead.

The researchers collected images from the Warsaw BioBase PostMortem Iris dataset, gathering 574 near-infrared iris images from 17 people who had died within five hours to 34 days. They also used 256 images of irises from living people. The team trained a deep neural network on this dataset to classify an image of an iris as taken either while the subject was alive or post-mortem. According to the paper, their method was ultimately able to correctly identify irises as dead or alive “nearly 99” percent of the time, but struggled with freshly dead eyeballs.

Illustration for article titled To Fool This Iris Scanner, You're Gonna Need a Really Fresh Eyeball
Screenshot: arXiv

The researchers concluded that the changes to eyes photographed less than five hours after death were not “pronounced enough” for their neural network to correctly classify them as alive or dead. These post-mortem indicators included blurring of the edges of the iris and changes to the pupil. Their system, however, had no problem with iris images taken at least 16 hours after death. If such a system—one that could flag an eyeball as living or dead—were integrated into an iris scanner, someone would have a pretty narrow timeframe to extract an eye and dupe the scanner.

Disturbingly, such a scenario is no longer limited to fictitious Hollywood portrayals: The researchers note that, according to news reports, police are already trying to use the fingerprints of the dead to unlock iPhones.

With more and more people using biometric authentication, our fingertips and irises have the potential to unlock highly secure locations or grant access to troves of personal information. From a security perspective, developing measures that authenticate a user is actually alive only make sense. But research like this also raises an important (if deeply morbid) question: If your body is your password, who has access when you die?


[MIT Technology Review]


So Simon still would have escaped then.