If the selfie craze hadn’t happened, we might not be where we are, according to Toby Rush, CEO and founder of EyeVerify, which makes eye-recognition technology called Eyeprint ID. According to Rush, selfies were just starting to take off when his team began working on their technology, and not every phone had a high-res front camera. “We were naive. We thought people would turn their phones around,” he laughed.
Thankfully, our lust for photos of ourselves sparked a wave of new hardware that Rush’s team was able to ride right alongside preteens snapping selfies. “All of a sudden, every smartphone manufacturer wanted to put a 5 or an 8-megapixel camera on the front of a phone,” Toby remembers. Apple’s introduction of TouchID on the iPhone 5S, he adds, played a big part in bringing attention to the world of biometric authentication.
Not more secure, more convenient
Why should our phones scan our eyes instead of our fingerprints? They shouldn’t.
“We don’t see EyePrint as an alternative to fingerprint scanning, we see it as an addition to it,” Rush explains. “When you think about biometrics, there is no right or wrong, but you do need to think about what the user is doing the vast majority of the time when they want to authenticate an action.”
“It’s not more security, it’s more convenience.”
“Heartrate makes a perfect biometric for smartwatches, but don’t make me talk, touch, or look at it. But with a smartphone, you’re either touching or looking at it, and some of the companies we’re working with — on flagship phones — want to provide both. It’s not more security, it’s more convenience.”
EyeVerify’s technology impressed when we saw it on the ZTE Grand S3 back at CES this year. It works by matching the blood vessels in the whites of our eyes, each one of which is like mapping 100 unique points-of-interest on a map, and then another 100 points-of-interest on each one when you zoom in. It’s not the same as iris or retina scanning, and both of these require special camera hardware to measure. EyeVerify’s method, as we’ve already found, only needs a selfie cam.
No additional hardware needed
Without additional hardware cost, even low-end phones can incorporate eye recognition without spending out on an extra component. However, is a low-res front camera up to the job of looking deeply into our eyes?
“The only difference for us is range,” said Toby, when asked if there was a difference between a 2-megapixel and a 13-megapixel front camera for use with EyePrint’s technology. “The better the resolution, the farther away you can hold the phone.” However, even the lowest megapixel front cams can produce surprising results. A single megapixel camera is still usable from 20cm away, for example. For comparison, a 5-megapixel camera is capable of operating from 30cm away, and an 8-megapixel camera is happy at between 35 and 40cm — easily covering most outstretched arms.
Like all good security measures, the authentication process is designed to be quick and seamless. “We don’t want to move a finger to the fingerprint sensor when we’re already looking at the device.” said Toby. EyeVerify is now authenticating at a speed of 500 milliseconds, and even on older processors — such as the Snapdragon 400 — the time is still only just over a second. Interestingly, the graphics processor inside a phone is actually more important than the CPU for EyeVerify, due to the heavy use of image processing. So besides selfies, Rush has the rise of 3D mobile games to thank for the hardware that enables his technology, too.
Nothing stored in the cloud means nothing to hack
There is something pleasingly sci-fi about having our eyes scanned for recognition, but what about the real-world security aspects of biometric authorization? For Eyeprint, there is only one option, and it’s not storing data in the cloud. “It’s never a matter of ‘if’, it’s only ‘when’,” said Toby, referring to data stores like this being hacked. “So we do all of our matching on the device.” To make sure there’s no chance of anything being transferred to the cloud accidentally, EyeVerify doesn’t sell any cloud server software at all.
While this may sound like the simple option, it’s not. “What we had to do is calculate a special security key from your eye, which is a two-step process. Step one is to match the biometric, and if they match at a high enough level, then you pass. We have to go beyond that for step two, and calculate a key that’s the equivalent of a 50-character complex password, which is used for authentication. It’s not just a true or false.” Imagine trying to remember a password of this length and complexity, on an everyday basis.
Should the password be compromised, all that’s needed is a quick reset and re-authentication, and a new key is created. No keys are ever sent from an EyeVerify-equipped device, even if a server-based app is asking for authentication, when a publicly-generated, one-time key is used. It was also a considerable challenge to come up with a way to generate the keys on the device, and not on a server. For data privacy’s sake, it was worth it.
New phones with eye-scanning tech out before the end of the year
Keeping our phones locked, and payment methods secure is only the start. Looking to the future, Toby sees our phones and any relevant wearable devices becoming tied to medical records and health data, for which a higher degree of security will be needed to authenticate when we visit healthcare practitioners. This, combined with increased reliance on our phones for financial and company information, makes reliable, super-secure biometrics even more important.
The more confidential data that’s stored on, or accessed using, a smartphone, the more comprehensive that security needs to become. EyeVerify is working on even more complex keys, and says a 100-character password created by using an Eyeprint ID eye scan — twice what it’s capable of producing now — is possible in the next six months or so.
The good news is, we’re not going to have to wait long for more phones to come out with EyeVerify’s eye print recognition installed either. Toby confirmed that the company is “working with 20 different smartphone manufacturers right now.” Four have already launched with EyeVerify’s technology — ZTE, Alcatel, Vivo, and Umi — and he expects another four before the end of 2015. Soon, look-to-unlock will be as normal and natural as using our finger for a scan, or to tap out a PIN code.
All because we can’t stop taking selfies.
