Why Retina Scanning is Not the Future of Biometrics in Devices

Recently I was asked about biometrics and the potential shift that some people see, not just for fingerprint readers, but also iris and retina scanners in mobile devices.  Of course, this could easily extend to other devices but mobile is so big, and smartphone adoption continues to grow so quickly, that it is the most obvious entry point to consider when looking at the launch of new technologies.

I thought that the discussion raised some interesting points that were worth talking about here.

The spark for this was the rumours over the past two weeks surrounding the launch of Samsung's Galaxy Note 4 and this tweet from @SamsungExynos which featured an eye in front of a smartphone.  Obviously this may mean nothing but it was heavily speculated at the start of this year that the Galaxy S5 was going to feature a retina scanner to up-stage Apple's iPhone 5S and its fingerprint reader.

To my mind though, I don't see a lot of advantages to a retina scanner because the trade-off is too great.  Already we have facial recognition capabilities and fingerprint readers within our smart devices.

Facial recogition is a fairly simple addition since it doesn't require any new hardware.  I use it on some Android devices; I quite like it, it's not foolproof and bright light can confuse it and reduce the success rate (but that is what the back-up PIN is for so no big deal).

Fingerprint reading does require an additional sensor to be incorporated but it is something that is a simple concept to end-users, one that they are familiar with.

Retina scanning though is a different proposition.  It is more exact and therefore could be more secure - but that brings with it an inherent cost.  It is a more complex solution and the camera sensor would need to be higher level, able to pick up the necessary detail that is required to differentiate between peoples' eyes.  Practical issues, such as lighting, accuracy, shake/vibration, etc. could all affect the reliability.  If retina scanning is not highly accurate and reliable then it is already beginning to compare badly to the alternatives.

It is a different proposal in terms of end-user acceptance and to justify the added cost it would need to have some applications built-in that use it and can justify the additional costs.  I could see some enterprise usage, e.g. secure log-in and other forms of user authentication, possibly financial services and government, but to ensure uptake in these sectors there would need to be a broad device portfolio supporting it.  Without this, any OEM would be targeting a reduced customer base.  IT managers and app developers want ubiquity so one device, or even a sole OEM, will not have the clout to push this through on their own.  Any standalone product with this capability will be regarded as niche.

As with any security solution, it is usually best to adopt a layered approach.  Currently, most applications can utilise one or a selection of options that have already been mentioned (to which voice recognition and even SMS/email verification can also be added).  Integrated retina scanning could be another (more secure) layer but I do not see it as the answer to everything.

So do I see it as a viable and necessary introduction?  No, I don't.  It would be a differentiator and certainly a novelty but I think it will struggle to gain critical mass and ubiquity for the above reasons and also because at some stage end-users will become more aware of the personal information that they are either storing on their device or remotely.  Is it safe?  Will anyone else steal their fingerprint or retina data, even if digitised and encrypted?  Probably not but the fear factor will play a large part in acceptance, particularly without a key driver for its adoption.

As a result of all of these discussion points. I believe that any widescale adoption would be at least four years away from realisation, even within a single OEMs portfolio (at least one that has more than one or two devices).  I expect that most will likely look at integrated hardware components for security whilst utilising existing, lower cost and more widely supported user authentication techniques.