Iris scans

by Chris Woodford. Last updated: April 4, 2022.

If you hate having to carry a jangling bunch of jailer's keys wherever you go, imagine how cool it would be if you could unlock your door just by staring at it for a couple of seconds! Iris scanning technology could soon make this kind of thing completely routine. It's already being used in airports and military bases where fast, reliable identification is vitally important. Iris scans are the most accurate form of biometrics (identity checking based on sophisticated body measurements)—far superior as a form of identification to fingerprints (which can wear out in time) or DNA profiling (which isn't instant). What exactly are iris scans and how do they work? Let's take a closer look!

Photo: The eyes have it: computerized security systems can recognize you by decoding the unique patterns in your irises (the colored parts of your eyes). This handheld scanner is made by SecuriMetrics Inc. for the US military. Photo by Michael J. MacLeod courtesy of US Army, published on Flickr under a Creative Commons Licence.

Why use biometrics?

There are more people on Earth than ever before, owning more things, and swapping more information every single day. Security has never been more important but—ironically, thanks to the computing power at everyone's disposal—never easier to crack. Traditionally, security relies on things that are difficult to do quickly: locks are physically difficult to bust open without the correct metal keys, while information secured by encryption (computerized scrambling) is hard to access without the right mathematical keys. But this kind of security has a basic flaw: with the right key, even the wrong person can quickly gain access.

Photo: Scanners can be made handheld and easily portable, like this one being used by the US Army, or wall-mounted for convenience in places like airports. Photo by Adaecus G. Brooks courtesy of US Army.

Most security experts think biometrics (body measurement) is the answer. Instead of restricting access to things through arbitrary locks and keys, we grant access to people if we can positively identify them by measuring some unique pattern on their body. If you think about it, an ordinary passport photo is a crude example of biometrics. When the border guards look at your face and compare it with your passport photo, what they're doing is intuitively comparing two images. Is one nose bigger than another? Are the eyes further apart? That's simple biometrics. The trouble is that our faces change all the time and lots of people look very similar. Fingerprints are a more reliable form of biometrics, but even they're not infallible: illnesses and injuries, as well as basic wear-and-tear, can alter the pattern of ridges on our fingers in time. Iris scans are a much more reliable way of identifying people—simplying by taking quick photographs of their eyes!

What makes an iris scan unique?

The iris is the colored ring of muscle that opens and shuts the pupil of the eye like a camera shutter. The colored pattern of our irises is determined genetically when we're in the womb but not fully formed until we're aged about two. It comes from a pigment called melanin—more melanin gives you browner eyes and less produces bluer eyes. Although we talk about people having "blue eyes," "green eyes," "brown eyes," or whatever, in reality the color and pattern of people's eyes is extremely complex and completely unique: the patterns of one person's two eyes are quite different from each other and even genetically identical twins have different iris patterns.

How does iris scanning work in practice?

To get past an iris-scanning system, the unique pattern of your eye has to be recognized so you can be positively identified. That means there have to be two distinct stages involved in iris-scanning: enrollment (the first time you use the system, when it learns to recognize you) and verification/recognition (where you're checked on subsequent occasions).

Photo: The iris is the colored part of your eye around the dark pupil in the center. A "blue eye" like this has less melanin (brown pigment). If an iris scan can't identify key features clearly, a variety of image enhancement algorithms (mathematical ways of processing a digital image) can be used to make them stand out more clearly.

Enrollment

First, all the people the system needs to know about have to have their eyes scanned. This one-off process is called enrollment. Each person stands in front of a camera and has their eyes digitally photographed with both ordinary light and invisible infrared (a type of light used in night vision systems that has a slightly longer wavelength than ordinary red light). In iris recognition, infrared helps to show up the unique features of darkly colored eyes that do not stand out clearly in ordinary light. These two digital photographs are then analyzed by a computer that removes unnecessary details (such as eyelashes) and identifies around 240 unique features (about five times more "points of comparison" as fingerprint systems use). These features, unique to every eye, are turned into a simple, 512-digit number called an IrisCode® that is stored, alongside your name and other details, in a computer database. The enrollment process is completely automatic and usually takes no more than a couple of minutes.

Photo: Enrollment involves having one or both of your irises scanned, usually up to three times. Photo by Chris Willis courtesy of US Air Force published on Flickr (as a US Government work).

Verification

Once you're stored in the system, it's a simple matter to check your identify. You simply stand in front of another iris scanner and have your eye photographed again. The system quickly processes the image and extracts your IrisCode®, before comparing it against the hundreds, thousands, or millions stored in its database. If your code matches one of the stored ones, you're positively identified; if not, tough luck! It either means you're not known to the system or you're not whom you claim to be.

Advantages and disadvantages of iris scans

The biggest advantage of iris scanning is its accuracy and reliability: it's estimated to be at least ten times more accurate than fingerprinting (claimed to produce around 1 in 1–2 million false matches, compared to fingerprints, which produce around 1 in 100,000, according to a 2003 study by Britain's National Physical Laboratory), though SRI (one developer of the technology) claims it can be "more than 1,000 times more accurate." [1] While fingerprints are constantly exposed and susceptible to damage, the iris is naturally protected by the cornea (the eye's transparent front coating) and its pattern seems to remain reliably unchanged for decades (though not necessarily for life). Unlike fingerprint scanners, which need direct contact and have to be kept spotlessly clean, iris scans can be performed safely and hygienically at some distance from the eye.

Photo: Another view of the US Army's handheld iris scanner, made by SecuriMetrics Inc. Photo by Jason T. Bailey courtesy of US Army.

The drawbacks of iris scanning include greater initial cost and the fact that it's still a relatively untried technology (some trials, for example, have found a much greater rate of false matches than originally claimed). Although iris scanning works with people of all ages, it's notably less accurate with very young children (ages 1–4) than with adults. Civil liberties campaigners have also voiced privacy concerns—that future iris-scanning technology could be developed that will allow people to be tracked covertly (at a distance of some meters) without either their knowledge or cooperation.

Privacy and security are also concerns. Supporters of biometric technology claim that it automatically makes things like computer and ATM access more secure than traditional, very vulnerable technologies, such as simple passwords and PIN numbers. But critics have highlighted the risks of criminals compromising iris scanning security, either by using high-resolution photographs of eyes or even (horrible though it sounds) a person's dead eyeballs. The latest iris-scanning systems attempt to get around this by detecting eye movements or seeing how a person's eyes change in different lighting conditions. There's also the matter of hacking and data breaches, which are potentially more serious if the stolen information is biometric. If your fingerprints are stolen, and can then be used to access any other systems that use fingerprint access, what can you possibly do about it? You can't change your fingers the way you can change your house keys or your computer passwords. On the other hand, it's important to remember that biometric systems don't generally store raw biometric information. Iris scans, for example, are using an encoded pattern derived from your iris, not your iris itself, and even if this gets stolen, it's possible to generate a different iris code for the same person, which would be equivalent to changing the locks on your home after a burglary.

In summary, iris scans score highly for accuracy and security, reasonably highly for long-term effectiveness, and moderately for ease of use and how happy users feel about them.

Who invented iris scans?

Here's a quick history of how iris scanning technology has developed.

• 1936: US opthalmologist Frank Burch suggests the idea of recognizing people from their iris patterns long before technology for doing so is feasible.
• 1981: American opthalmologists Leonard Flom and Aran Safir discuss the idea of using iris recognition as a form of biometric security, though technology is still not yet advanced enough.
• 1987: Leonard Flom and Aran Safir gain US patent #4,641,349 for the basic concept of an iris recognition system.
• 1994: US-born mathematician John Daugman (currently a professor of computer science at Cambridge University, England) works with Flom and Safir to develop the algorithms (mathematical processes) that can turn photographs of irises into unique numeric codes. He is granted US patent #5,291,560 for a "biometric personal identification system based on iris analysis" the same year. Daugman is widely credited as the inventor of practical iris recognition since his algorithm is used in most iris-scanning systems.
• 1996: Lancaster County Prison, Pennsylvania begins testing iris recognition as a way of checking prisoner identities.
• 1999: Bank United Corporation of Houston, Texas converts supermarket ATMs to iris-recognition technology.
• 2000: Charlotte/Douglas International Airport in North Carolina and Flughafen Frankfurt Airport in Germany become two of the first airports to use iris scanning in routine passenger checks.
• 2006: Iris-scanning systems are installed at British airports, including Heathrow, Gatwick, Birmingham, and Stansted. Privacy concerns notwithstanding, hundreds of thousands of travelers voluntarily opt to use the machines to avoid lengthy passport-checking queues.
• 2017: Samsung offers iris scan security on its S8 Galaxy phone but, just two months after its introduction, German hackers discover how to crack it.

Find out more

On this website

• Digital cameras
• Fingerprint scanners

On other websites

• Biometrics.gov: The official, central source of information on all the US government's biometrics activities.
• Prof John Daugman: Web page belonging to the inventor of iris recognition.
• [PDF] Biometric Comparison Guide: A good introduction to iris recognition, face recognition, fingerprint, and other biometrics from leading manufacturer Iridian Technologies.

Articles

Scientific/technical

• Iris Recognition by John Daugman, American Scientist, Vol. 89, No. 4 (July-August 2001), pp. 326–333. A detailed but easy-to-understand, non-mathematical introduction.
• [PDF] How iris recognition works by John Daugman, IEEE Transactions on Circuits and Systems for Video Technology, Vol. 14, No. 1, January 2004, pp. 21–30. A more detailed (and more mathematical) introduction.
• Epigenetic Randomness, Complexity and Singularity of Human Iris Patterns by John Daugman and Cathryn Downing, Proceedings: Biological Sciences, Vol. 268, No. 1477 (Aug. 22, 2001), pp. 1737–1740. Why irises make good biometrics.
• [PDF] Iris Recognition: An Emerging Biometric Technology by Richard P. Wildes, Proceedings of the IEEE, Vol. 85, No. 9, September 1997. An excellent, if slightly dated, technical introduction.

News

• Stop Surveillance Humanitarianism by Mark Latonero, The New York Times, 11 July 2019. How biometric identification has become a controversial issue in the world of humanitarian aid.
• New Samsung Galaxy S8 Unlocks with Facial Recognition, Iris Scanning by Amy Nordrum. IEEE Spectrum, 29 Mar 2017. How iris scanning came to a smartphone near you.
• Biometrics Researcher Asks: Is That Eyeball Dead or Alive? by Eliza Strickland. IEEE Spectrum, 20 Jul 2016. Is it possible to fool iris scanning systems with dead eyes?
• Biometrics Are a Grave Threat to Privacy by Clare Gartland. The New York Times, 5 July 2016. A summary of some of the privacy issues that biometric technologies raise.
• Ageing eyes hinder biometric scans by Duncan Graham-Rowe. Nature, 25 May 2012. Research suggests iris patterns do change slowly over time, potentially undermining the security of iris scanning systems.
• New York City Police Photograph Irises of Suspects by Ray Rivera and Al Baker. The New York Times, 15 November 2010. Police are now using iris scans to check the identity of suspects when they appear in court, but critics are concerned about the privacy and civil liberties issues this raises.
• Security on the (Eye)Ball: Hands-Free Iris Biometrics to Keep Bad Guys at Bay by Larry Greenemeier, Scientific American, 28 Jul 2009. How iris scanners can now detect people at a distance of 12m.
• Questions over eye scan plan: by Mark Ward, BBC News, 7 May 2003. A critical look at some of the drawbacks of iris scanning, including assessments of its accuracy and reliability.
• Your eyes can tell no lies: A short biographical profile of John Daugman by Sally Donnelly from TIME, Sunday, Nov 18, 2001.

Books

• Advances in Biometrics: Modern Methods and Implementation Strategies by G.R. Sinha (ed). Springer, 2019. An up-to-date review covering cutting-edge issues like self-driving cars and the Internet of Things.
• Handbook of Iris Recognition by Mark J. Burge and Kevin Bowyer (eds). Springer, 2016. A cutting-edge collection of the latest iris scanning research.
• Iris Recognition: An Identification Biometric System by Abdul Basit. LAP Lambert, 2010. A good overview to different types of biometrics with a practical feel (one part of the book is devoted to "getting started with biometrics").
• Security and Access Control Using Biometric Technologies by Robert Newman. Cengage, 2010. Introduces the basic concepts of biometric security, then compares the various different technologies and their applications.
• Biometrics For Dummies by Peter Gregory and Michael Simon. Dummies, 2009. A good overview to different types of biometrics with a practical feel (one part of the book is devoted to "getting started with biometrics").
• Biometrics: Identity Assurance in the Information Age by John D. Woodward (Jr.), Nicholas M. Orlans, and Peter T. Higgins. McGraw Hill, 2003. A fairly practical introduction covering all forms of biometrics.

Patents

• US Patent #4,641,349: Iris Recognition System by Leonard Flom and Aran Safir, February 3, 1987. Explains the general principle of scanning an eye to recognize its features.
• US Patent #5,291,560: Biometric personal identification system based on iris analysis by John Daugman, March 1, 1994. Describes the general process used in modern iris recognition systems.

References

1. ↑    [PDF] Feasibility study on the use of biometrics in an entitlement scheme by Tony Mansfield, National Physical Laboratory, and Marek Rejman-Greene, BTexact Technologies, 2003, p14. This comparison is between the false match rate (the probability that your iris scan matches someone else's). The false non-match rate (the probability that you're not recognized from your own iris scan) was found to be roughly similar, 1 in 100, (though slightly better with iris scans). In this study, face recognition performed significantly worse than either fingerprints or iris scans (a false match rate of 1 in 1000 and a false non-match rate of 1 in 10). "Tests have shown this purely iris-based solution to be more than 1,000 times more accurate than published fingerprint data." quoted in SRI International to Offer Iris Biometric-Embedded Products for Mobile B2B Applications, SRI Press Release, March 25, 2015 [Archived via the Wayback Machine].