Could iris recognition be coming to the enterprise?

Iris recognition will be widely included in future mobile devices reducing the hardware investment and potentially preventing fraudulent access via biometric authentication

biometrics
Thinkstock

Our daily lives are finally catching up to the sci-fi visions weread and dreamed about 30 years: virtual reality, artificial intelligence, and biometrics to name a few. As such, our experiences of technology in the workplace are on the cusp of dramatic shifts. 

Notwithstanding the recent popularity of TouchID, biometric authentication has long been associated in the popular consciousness with iris recognition: secret agents and Bond villains pressing their eye up against a sensor to gain access to a top secret lab or a hidden bunker.

Candidly, the James Bond depiction is not an inaccurate one, as over the last 20 years fixed iris recognition systems were prohibitively expensive for pretty much everybody but government spy agencies and organizations protecting the world’s most critical assets. 

Last year, however, all of that changed forever. Samsung released the Galaxy Note 7 including Iris scanning capability. While the obituary for that since scrapped-handset will likely center around exploding batteries, its legacy will be to have set a trend in terms of iris recognition being included in handsets. For enterprises, that will mean that iris-based biometric authentication can be deployed via mobile device, substantially reducing the hardware investment and potentially preventing 99% of fraudulent access that is common in today’s enterprise. 

So is it that simple? Will companies all be asking employees to log into their accounts or to access the front door using iris recognition before next year is out?

An eye for opportunity

The opportunities are enormous. Existing platforms for biometric deployments using smartphones as an image capture device are becoming increasingly plug and play, so taking any forthcoming smartphone equipped with iris recognition and deploying it for authentication within the enterprise is extremely light-lifting. It could be used to control Active Directory access, physical access to sensitive areas, secure file access, and as a strong anti-fraud measure. The obvious early adopters are financial services companies, government institutions, and the healthcare industry, but the ease-of-deployment and lower cost means that even organizations with apparently less critical assets can still protect them with a vastly higher degree of security.

Of course, enterprise identity management has already begun to start embracing different forms of biometrics like fingerprint and voice. So why would companies choose iris? 

Enhanced accuracy, improved security

In some regards, iris-based authentication using smartphones will be a perfect medium for enterprise level authentication of employees for access to high value data or permission to perform high-value transactions. The controlled and moderate lighting of the typical indoor work environment allows for optimal conditions for iris scanning to work using the type of system Samsung had deployed.

Enhanced security is the chief benefit over other common biometric identifiers like fingerprint and voice. Iris recognition systems are gaining interest because the iris’ rich texture offers a strong biometric cue for recognizing individuals.

Second to retina-based recognition, iris scanning has a proven track record of being highly secure because it is hard to spoof and provides a high degree of identity accuracy.

Not all sunshine and light

There are some significant practical hurdles to overcome in order to bring the above mentioned benefits to the fore. Iris recognition is usually based on near infrared (NIR) lighting and sensors, because the texture of dark-colored irides are not easily discernible in the visible spectrum. NIR lighting can penetrate the iris’ surface and thus reveal the intricate texture details that are present even in dark-colored irides. Including NIR in a smartphone is not a routine add-on, so it’s not likely that every new smartphone coming out next year will follow Samsung’s lead.

That creates a significant deployment restriction in the fact that, right now, just one mainstream smartphone includes iris scanning and it’s being recalled and shelved. The next device to incorporate iris recognition will not be far behind, but total market saturation will happen over a number of years. So to use iris-recognition an enterprise would need to end or alter its BYOD policy (which is highly unlikely to happen) and issue very specific devices to all employees.  In addition, the promised land of open deployment has not quite been reached. Only embedded software on the Samsung device was given access to the biometric data, and this restricts development of corporate custom applications unless working with the device manufacturer or its licensed third-party integrators.    

While it might be harder to game than fingerprints and voice, there are still mechanisms (albeit more cumbersome for the hacker). For example, a custom printed contact lens could be one way in which a hacker could forge access if they could get hold of the biometric data and the linked smartphone. Difficult, but not impossible - especially as 3D printing becomes more prevalent.

Finally, the mobility that a smartphone deployed biometrics authentication should provide is somewhat undermined by iris scanning’s reliance on moderate, indoor levels of light. For example, if your CEO needs to access an important but sensitive document while on vacation at the beach you might run into difficulties. The same is true of low-levels of light, so outdoors at night or in a bar are also out.

The prognosis for iris scanning

The jury is really out here. There are certainly security and ease-of-use benefits, but the current limitations are also apparent. If we start to see more smartphones including iris scanning as standard and the BYOD challenge is overcome, it becomes a more viable prospect. Then, we can look to see adoption in the white collar workplace as a big driver of consumer adoption and a virtuous circle might form.

One possible driver of adoption is the forthcoming General Data Protection Regulations (GDPR), under which banks will be required to keep track of data provenance -- that is, a traceable chain of all transactions related to the origin of a raw or computed data item.  Provenance will require digital signatures via biometrics on each transaction in some circumstances to provide non-repudiation: iris scans could provide a highly-reliable basis for such digital signatures.

Still, due to some of the inherent restrictions relating to light, it is likely that, in most use cases, enterprises would need to deploy iris scanning alongside other authentication options, and perhaps reserve this format for the highest-value transactions or the most sensitive data.

To date, we haven’t found the perfect biometric identifier that solves all of an enterprise’s needs and that has held back deployments. Rather than giving up on the significant security benefits offered by biometrics, enterprises should be looking to create a flexible environment where different types of biometric authentication can be used and controlled easily -- including iris recognition.

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Winter 2018 issue of Security Smart