GEORGE STEINMETZ/SCIENCE PHOTO LIBRARY

Identifying people by scanning the irises of their eyes may not be as reliable as some governments and the public might think. That’s according to new research suggesting that irises, rather than being stable over a lifetime, are susceptible to ageing effects that steadily change their appearance over time.

With iris recognition now being used at border control in countries such as the United Arab Emirates and the United Kingdom, this has huge implications, says Kevin Bowyer, a professor of computer science at the University of Notre Dame in Indiana. At the very least, it could cause delays if people have to be scanned again. At worst, it implies that people might increasingly be able to evade detection when moving between countries.

Bowyer and his colleague Samuel Fenker, also at Notre Dame, used state-of-the-art, commercial iris-matching software to measure differences in the software's performance when comparing more than 20,000 different images of 644 irises, taken between 2008 and 2011. The authors compared the quality of a match between two images of the same iris that were recorded roughly a month apart, to pairs of images taken one, two or three years apart. They found that the rate at which the system failed to match two images of the same iris — known as the false non-match rate — increased by 153% over the three years1.

Eyes down

All iris-recognition systems have some margin of error, because there will always be slight differences between the original iris image — taken to create a digital template when people first enrol in iris-recognition schemes, for example — and those taken later to confirm a person's identity. If irises did not age, the false non-match rate would be expected to remain constant over time, but Bowyer says his results clearly show that this is not the case. “One iris biometric marketing claim has been that the iris allowed ‘a single enrolment for a lifetime’. This claim is now proven to be false,” he says.

The likelihood of software incorrectly matching two irises from different people is around 1 in 2 million (known as the false match rate). So in practical terms, Bowyer’s results suggest that the false match rate for a system would increase to 2.5 in 2 million after three years had elapsed. This rate sounds low, but the effect appears to be cumulative, says Bowyer: “So although you might not really notice the problem after one year or two years, after five or ten years it can become a huge problem,” he explains.

But some are not convinced that the iris ageing effect will make a noticeable difference to the false match rate — even in huge national iris-identification schemes such as India's, which so far has more than 200 million people enrolled. Biometrics expert Vijayakumar Bhagavatula of Carnegie Mellon University in Pittsburgh, Pennsylvania, says: “In my opinion, the impact of this research is to suggest that iris templates should be periodically updated.”

But the work also points to the need to develop iris-recognition algorithms that are less affected by ageing, says Bowyer, who is due to present his research next month at a biometrics workshop at the IEEE Computer Vision and Pattern Recognition Conference in Providence, Rhode Island. “The development of ageing-resistant algorithms for iris biometrics has not been studied at all. In contrast, in the face-recognition research community, there is a lot of work on developing algorithms to match faces in the presence of significant ageing.”

It is not clear why irises were assumed to be somehow immune to the ravages of time. According to Bhagavatula, it is partly because of a lack of long-term data. But Bowyer’s view is that it comes down to an incorrect and optimistic assumption made at the outset of iris biometrics. “This assumption was repeated often enough, and in a convincing enough manner until it became fact,” he says.