Our daily lives are finally catching up to the sci-fi visions we read and dreamed about 30 years ago: virtual reality, artificial intelligence, and biometrics to name a few. As such, our experiences of technology in the workplace are on the cusp of dramatic shifts.
Notwithstanding the recent popularity of Touch ID, biometric authentication has long been associated in the popular consciousness with iris recognition. Secret agents and Bond villains pressing their eye up against a sensor to gain access to a top-secret lab or a hidden bunker.
Candidly, the James Bond depiction is not an inaccurate one, as over the last 20 years fixed iris recognition systems were prohibitively expensive for pretty much everybody but government spy agencies and organizations protecting the world’s most critical assets.
Last year, however, all of that changed forever. Samsung released the Galaxy Note 7 with iris scanning capability in 2016. While the obituary for that since-scrapped handset will likely center around exploding batteries, its legacy will be as a trendsetter for iris recognition being included in handsets. For enterprises, that will mean that iris-based biometric authentication can be deployed via mobile device, substantially reducing the hardware investment and potentially preventing 99 percent of fraudulent access that is common in today’s enterprise.
Since the Galaxy Note 7, Samsung has since seen successful deployments of iris recognition, with other mobile device manufacturers beginning to follow suit. So is it that simple? Will companies all be asking employees to log into their accounts or to access the front door using iris recognition before next year is out?
An Eye for Opportunity
The opportunities are enormous. Existing platforms for biometric deployments using smartphones as an image capture device are becoming increasingly plug and play, so taking any forthcoming smartphone equipped with iris recognition and deploying it for authentication within the enterprise requires extremely light lifting. It could be used to control Active Directory access, physical access to sensitive areas, secure file access, or as a strong anti-fraud measure. The obvious early adopters are financial services companies, government institutions, and enterprises, but the ease-of-deployment and lower cost means that even organizations with apparently less critical assets can still protect them with a vastly higher degree of security.
Of course, enterprise identity management has already begun to start embracing different forms of biometrics like fingerprint and voice. So why would companies choose iris?
Enhanced Accuracy, Improved Security
In some regards, iris-based authentication using smartphones will be a perfect medium for enterprise level authentication of employees for access to high-value data or permission to perform high-value transactions. The controlled and moderate lighting of the typical indoor work environment allows for optimal conditions for iris scanning to work using the type of system Samsung has deployed.
Enhanced security is the chief benefit over other common biometric identifiers like fingerprint and voice. Iris recognition systems are gaining interest because the iris’ rich texture offers a strong biometric cue for recognizing individuals.
Second to retina-based recognition, iris scanning has a proven track record of being highly secure because it is hard to spoof and provides a high degree of identity accuracy.
Not All Sunshine and Light
There are some significant practical hurdles to overcome in order to bring the above-mentioned benefits to the fore. Iris recognition is usually based on near infrared (NIR) lighting and sensors, because the texture of dark-colored irises are not easily discernible in the visible spectrum. NIR lighting can penetrate the iris’ surface and thus reveal the intricate texture details that are present even in dark-colored irises. Including NIR in a smartphone is not a routine add-on, so it’s not likely that every new smartphone coming out next year will follow Samsung’s lead.
That creates a significant deployment restriction in the fact that, right now, very few smartphones actually include the necessary technology. The next device to incorporate iris recognition is right around the corner, but total market saturation will happen over a number of years. So to use iris-recognition an enterprise would need to end or alter its BYOD policy (which is highly unlikely to happen) and issue very specific devices to all employees. In addition, the promised land of open deployment has not quite been reached. Only embedded software on the Samsung device was given access to the biometric data, and this restricts development of corporate custom applications unless working with the device manufacturer or its licensed third-party integrators.
While it might be harder to game than fingerprints and voice, there are still mechanisms (albeit more cumbersome for the hacker). For example, a custom printed contact lens could be one way in which a hacker could forge access if they could get hold of the biometric data and the linked smartphone. Difficult, but not impossible – especially as 3D printing becomes more prevalent.
Finally, the mobility that a smartphone deployed biometrics authentication should provide is somewhat undermined by iris recognition’s reliance on moderate, indoor levels of light. For example, if your CEO needs to access an important but sensitive document while on vacation at the beach you might run into difficulties. The same is true of low-levels of light, so outdoors at night or in a bar are also out.
The Prognosis for Iris Recognition
The jury is really out here. There are certainly security and ease-of-use benefits, but the current limitations are also apparent. If we start to see more smartphones including iris scanning as standard and the BYOD challenge is overcome, it becomes a more viable prospect. Then, we can look to see adoption in the white-collar workplace as a big driver of consumer adoption and a virtuous circle might form.
One possible driver of adoption is the forthcoming General Data Protection Regulations (GDPR), under which banks will be required to keep track of data provenance — that is, a traceable chain of all transactions related to the origin of a raw or computed data item. Provenance will require digital signatures via biometrics on each transaction in some circumstances to provide non-repudiation: iris scans could provide a highly-reliable basis for such digital signatures.
Still, due to some of the inherent restrictions relating to light, it is likely that, in most use cases, enterprises would need to deploy iris scanning alongside other authentication options, and perhaps reserve this format for the highest-value transactions or the most sensitive data.
Rather than giving up on the significant security benefits offered by biometrics, enterprises should be looking to create a flexible environment where different types of biometric authentication can be used and controlled easily. Until iris recognition becomes native to a much wider selection of smartphones, a more ubiquitous biometric, like 4 Fingers TouchlessID, will provide much more value to enterprises.
This article originally appeared on CSO in March 2017 and has been updated to reflect more recent developments in the field of biometric technology.