How Do Iris Biometrics Work?

Mike Engle

With biometrics becoming the new secure password replacement, iris biometrics help verify and authenticate account access.

So, how do iris biometrics work? Iris biometrics work by scanning someone’s eye to identify the unique patterns in their iris. These scanners will illuminate the eye to find the distinctive pattern specific to each individual and then add that data to the database.

What Are Iris Biometrics and How Do They Work?

Biometric scanning uses a user’s physical features (a fingerprint, facial scan, voice authentication, or iris scan) as part of an identity verification process. The idea behind this approach to authentication is that these physical features should be almost 100% unique to the user, and as such, can serve as an un-spoofable way to verify them when they try to access their accounts.

Some forms of biometrics are more common than others in the consumer and enterprise space. Fingerprint and facial scanners are more and more common on mobile devices like smartphones, tablets, and laptops. These biometrics are used to grant access to devices or to support biometric password setups for applications installed on the devices.

Another form of biometrics that is closely related to facial recognition is the iris scan. The iris is the colored ring in our eyes, a muscle that expands and contracts the eye based on the amount of light entering the eye itself. On the surface, we don’t see the complexity of the iris—we see the melanin-colored ring but not much else. These scans function as verification methods because each human iris has unique patterns and color circles that can be used to identify them.

To conduct an eye scan, the technology used for the scan directs infrared light into the eye at wavelengths smaller than visible light. These wavelengths allow the scanner to see more delicate patterns in the iris consisting of approximately 240 different features that, together, comprise a unique digital representation of the user. The scanned data is encoded into a machine-readable form for future reference. This information is usually stored in an identity database, and subsequent scans used for authentication compare scanning information against the data in the database.

Like other forms of biometric authentication, there are two primary steps in using eye scans as verification. First, patterns in the iris must be scanned and enrolled in a system and associated with a digital identity. Following that, the system can scan your iris as a form of verification against the data provided during enrollment.

What Are the Four Steps for Iris Recognition Enrollment?

The enrollment and verification process is rather seamless for users: the system scans the eye and uses it to verify identity. However, to actually use information from the iris as a form of identification, a four-step enrollment process takes the information and makes it a form of biometric ID:

  1. Image Capture: The scanner takes high-quality images of the left and right eye using near-infrared light for a more accurate and fine-grained image of the iris and its unique features. Near-infrared light also doesn’t cause contractions in the iris the same way natural light would, providing a more realistic image from which to draw information.
  2. Quality Checks and Controls: Now that the system has an image to draw information from, it performs quality checks to ensure that the image is enough to serve as a biometric template. Different image qualities are tested during this step, including analysis of the sharpness, iris sclera contrast, iris pupil contrast, pupillary dilation and the presence of any artifacts like eyelashes and eyelid occlusions. During this analysis, the scan segments of the recognizable iris from the rest of the eye in the image.
  3. Compression: The remaining, high-quality image is compressed using JPEG 2000 algorithms. This helps remove image distortions and other artifacts.
  4. Template Creation: The remaining image information is then translated into a biometric template that can be used in future verification scans.

Once the template is in place, it is difficult to spoof using fake biometrics. Likewise, this information can be used across multiple authentication events so long as you use the same or similar quality NIR scanners.

What Are the Advantages of Iris Biometrics?

While not as common as other biometric verification methods, eye scans have several advantages:

  • Difficulty of Spoofing: Since iris information is unique to everyone and requires special technology to collect, it can be hard to spoof this information for unauthorized access.
  • Persistence: Iris dimensions and conditions don’t vary much as we age, meaning that scans have significant longevity as verification methods. Likewise, barring trauma to the eyes, they are not typically vulnerable to physical disfigurement.
  • Distance and Flexibility: It might seem like it would be hard to scan an iris, but advances in cameras and light technology have made it possible to scan a human iris from up to 40 feet away.

With these advantages in mind, eye scanners are often more accurate and reliable than fingerprint or facial scanners. Fingerprint scanners are touch-based, meaning that dirt, grease, or other artifacts can hinder fingerprint scans. Likewise, individuals who do hard work that damages the fingers might be unable to use the technology or find it doesn’t work for them as they get older. On the other hand, eye scanners don’t degrade in functionality unless there is trauma to the eyes, and eyes are self-cleaning by nature. Because of this, iris scanners can serve a broader population than a fingerprint verification system, particularly populations from poor or working-class backgrounds.

Modern Authentication Is Evolving with Biometrics

Biometrics are a critical part of modern authentication and in particular multi-factor authentication (MFA). Biometrics, alongside passwords or knowledge-based authentication, can form comprehensive verification methods to protect customer data.

However, biometrics are not enough, no matter how accurate they are. While iris scans are reliable, they are still subject to some of the problems that other authentication have, including the potential for data theft from a database. More importantly, all biometrics can fall prey to identity spoofing.

The reality of any authentication method is that it must contend with both the claimed identity of the user attempting access and the actual identity of that user. Layers of biometrics, passwords and authenticators cannot erase the fact that effective and robust authentication security must have identity proofing in place to ensure the person accessing a system is who they say they are.

There have been some incremental changes to how biometrics works, but it isn’t enough. It’s time that we radically rethink authentication and access management to include seamless identity proofing, decentralized identity management, and passwordless authentication. We need to look to solutions that lower barriers customers face with onboarding and system use. The present and future of identity verification must make authentication secure and simple for users.

1Kosmos BlockID and Advanced Biometrics Are the Future of Authentication

Identity management is one of the more important functions in an IT system. 1Kosmos BlockID is taking that important function and revolutionizing it. The future is passwordless, and BlockID combines identity-proofing and advanced biometrics with passwordless authentication to bring together tight, compliant security with a streamlined and intuitive user experience.

BlockID includes features like the following:

  • KYC compliance: BlockID Verify is KYC compliant to support eKYC verification that meets the demands of the financial industry.
  • Strong compliance adherence: BlockID meets NIST 800 63-3 for Identity Assurance Level 2 (IAL2) and Authentication Assurance Level 2 (AAL2).
  • Incorruptible Blockchain Technology: Store user data in protected blockchains with simple and secure API integration for your apps and IT infrastructure.
  • Zero-trust security: BlockID is a cornerstone for a zero-trust framework, so you can ensure user authentication happens at every potential access point.
  • Liveness Tests: BlockID includes liveness tests to improve verification and minimize potential fraud. With these tests, our application can prove that the user is physically present at the point of authentication.
  • Enhanced User Experience: With the BlockID app, authentication and login are simple, straightforward, and frictionless across systems, applications and devices. Logging into a system isn’t difficult, and you don’t have to sacrifice usability in the name of security.

With these measures, you won’t have to worry about the typical weaknesses of password systems like brute-force attacks or stolen passwords.

If you’re ready to learn about BlockID and how it can help you remain compliant and secure, learn more about 1Kosmos Passwordless Enterprise solutions. Make sure you sign up for the 1Kosmos email newsletter for updates on products and events.

A Customer First Approach to Identity Based Authentication
Read More

Expert Insights in Your Inbox

Subscribe to the blog
Meet the Author

Mike Engle

Co-Founder and CSO

Mike is a proven information technology executive, company builder, and entrepreneur. He is an expert in information security, business development, authentication, biometric authentication, and product design/development. His career includes the head of information security at Lehman Brothers and co-founder of Bastille Networks.