Last week, Samsung revealed its new smartphone, the Samsung Galaxy S8, which users can unlock with a quick glance. Since the big debut, we’ve learned that the iris scanner in the S8 comes from a little-known biometric security company in New Jersey called Princeton Identity.
CEO Mark Clifton says the company’s technology can produce an accurate scan in varying light conditions from arm’s length, even if the user isn’t standing completely still. Those features persuaded Samsung that iris scanners, which are already common in building security systems, were ready to be integrated into its popular line of smartphones.
“They became convinced that we were the real deal when we were able to show them iris recognition working outdoors in a sunny parking lot, when none of the other competitors could do that,” Clifton says.
Adding an iris scanner to a smartphone is a big decision, because it requires extra hardware and modifications to the body of the phone. Clifton estimates the total cost of adding this form of biometric security works out to be less than $5 per handset. That’s still a lot of money for an industry in which any manufacturer can build a smartphone, but few can do it profitably.
If you look closely at the S8, there are three dots and one long dash right above the screen. The middle dot is the selfie camera and the thin slit is the proximity sensor, neither of which play a role in iris scanning.
The dot on the far left, however, is an LED that produces near-infrared light. And the dot on the far right is a camera equipped with a special filter that blocks most visible light but allows infrared waves to pass through.
To produce a scan, the LED emits infrared waves that penetrate just below the surface layer of the iris (the colored part of the eye) and reflect back to the infrared camera. This camera can then produce a high-contrast scan of the iris based on those reflections of infrared light from the eye. The proprietary piece of Princeton’s technology is the pattern of the pulse, or strobe, of the LED that produces the infrared light, and the design of the filter that blocks out visible light and yields the high-contrast scan.
A user’s first scan captures about 250 points of reference from the iris, the part of the eye that includes a pair of muscles that dilate and constrict the pupil to let more or less light in. This compares favorably with the 20 to 70 points that a fingerprint sensor gathers. An iris scan may show the contours of muscles, the patterns of blood vessels, or other artifacts, such as strands or folds of tissue, within the iris.
All of the information about those reference points is stored in a template in the phone’s “trust zone,” a specialized area of hardware where sensitive data is encrypted. When a user wants to unlock their phone, software compares the iris pattern in the latest scan to the pattern in the original template.
Many of the elements within the iris are shaped during early development as well as by genetics, so even identical twins would have unique templates. For people who wear glasses, Princeton recommends users take them off to do their original scan, but Clifton says the iris scanner should generally work even with their glasses on.
Dr. Kevin Miller, a corneal surgeon who performs artificial iris transplants at the UCLA Stein Eye Institute, points out that the muscle contours of the iris change considerably based on lighting conditions and pupil dilation. And there are other factors that could produce errors in an iris scan over the course of a person’s lifetime.
“What happens if you're scanning somebody with diabetes and they have a little hemorrhage in the eye? Now that hemorrhage shows up on the scan and it's not going to recognize them,” he says. “There's issues like that with all these biometric methods.”
A user can create a new scan of their iris at any time. And the template that’s stored in the trust zone is a digital representation of the contrast points on their iris, rather than an actual image of the iris. Storing the image itself would create another security problem because, unlike passwords or credit card numbers, a person’s iris pattern can’t be revoked or updated.
Clifton says with their technology, the chances of producing a false positive are about 1 in 1.1 million for a scan of a single eye and 1 in 1.4 trillion for a scan of both eyes. "You do approach DNA-level type of accuracies with a duel-eye recognition,” Clifton says.
The company says they’ve also incorporated “liveness detection” into the scanner so that the iris scanner can’t be fooled by a photograph—a common problem for facial recognition technology—though Clifton wouldn’t say much about how this feature works.
Samsung actually debuted Princeton’s iris scanners in the Galaxy Note7, which had a brief run of sales in 2016 before a mass recall. The only change to the technology for the S8 appears to be cosmetic—this time, Samsung implemented a full color live preview mode with two circles on the screen to help users position their eyes. The ill-fated Note7 preview was in black and white. “Hopefully this will go much smoother,” Clifton says.