More biometrics, more problems?
Soon, verifying your identity while unlocking or making purchases on a smartphone may be as easy as looking your phone straight in the eye.
A few phones equipped with iris scanners are already on the market: the Japanese company Fujitsu’s Arrows NX F-04G was the first to debut it in 2015, followed by the Android Idol 3. The ill-fated Galaxy Note 7 also allowed owners to use this tech to unlock their devices and verify their identities with Samsung. Still, this functionality isn’t yet mainstream.
Now, the latest buzz at the Apple rumor mill is that the iPhone 8, expected to be out in September, will include an iris scanner. While these rumblings remain unverified, the company has filed for trademarked products called the “Apple Iris Engine” and “Apple Iris Image Engine,” as noted by Macrumors.
Even beyond Apple and Samsung, there appears to be quite a bit of interest in bringing iris scanners — primarily used by government agencies and law enforcement today — directly to consumers. Mobile phone chip maker Qualcomm has announced a new partnership with Eyelock, an iris-based identity authentication company. In discussing this, EyeLock’s Chief Technology Officer estimated that “in the next two years, every smartphone in the world is going to have a biometric on it.” However, there are many steps from Qualcomm merely having the means to make this technology available and having phone manufacturers actually decide to implement it on a large scale.
Iris scanners could help make a phone more secure and convenient, but they come with downsides. “It’s harder to spoof irises than it is to spoof fingerprints, and they’re thought to be stable over a person’s lifetime,” said Marios Savvides, head of the CyLab Biometrics Center at Carnegie Mellon University, which researches issues of cybersecurity. “In that sense, I think iris scanning will help remove some of that hackability.”
But nothing is fool-proof, and one problem is that once your eye prints are hacked, there’s no changing them like a password. According to cybersecurity expert Scott Schober, iris recognition on one’s phone should never be used as the only authentication method — especially on devices that do not have end-to-end encryption — because of the inherent risks involved.
“If it’s an additional layer, it’s more secure,” he said. “If that’s your only authenticator and…the database is compromised, you’re in trouble. You can’t really replace your eye.”
It was the same when fingerprints became a popular biometric for phones. Though fingerprint scanners were first introduced to cell phones by Toshiba in 2007, it wasn’t until fingerprint identification was first added to the iPhone 5S and branded “Touch ID,” that its use became mainstream. Almost immediately, security experts fears were validated.
In 2015, an unprecedented hack led to the fingerprint data of 5.6 million people being compromised, and in 2016, it was 55 million fingerprint records. Even “peace sign selfies” have some risk involved. It’s still unclear how exactly such data could be useful, but the threat level changes as technology continues to evolve.
The controversy surrounding Touch ID has only grown as it has been implemented across smartphones. Privacy experts have questioned the potential for phone unlocking by law enforcement using the finger of a corpse in a criminal investigation and police are legally allowed to demand suspects unlock their phone with it.
Iris scanners present similar potential threats. Already, constitutional rights advocates worry about the way iris scanning tools in possession of police can be used for the purpose of general surveillance. And while tech companies like Apple have refused to cooperate with law enforcement requests for access to devices in the past, a right federal courts have upheld, the government’s increased fixation with national security could threaten this in the future. The fact that border checkpoint systems already use high-tech biometric iris readers adds to this point of concern.