Identifying people by scanning the irises of their eyes may not be as reliable as some might think.

That’s according to new research suggesting that irises, rather than being stable over a lifetime, are susceptible to aging effects that steadily change their appearance over time.

With iris recognition now being used at border control in countries such as the United Arab Emirates and the United Kingdom, this has huge implications, says Kevin Bowyer, a professor of computer science at the University of Notre Dame in Indiana. At the very least, it could cause delays if people have to be scanned again. At worst, it implies that people might increasingly be able to evade detection when moving between countries.

Bowyer and his colleague Samuel Fenker, also at Notre Dame, used state-of-the-art, commercial iris-matching software to measure differences in the software's performance when comparing more than 20,000 different images of 644 irises, taken between 2008 and 2011. The authors compared the quality of a match between two images of the same iris that were recorded roughly a month apart, to pairs of images taken one, two or three years apart. They found that the rate at which the system failed to match two images of the same iris — known as the false non-match rate — increased by 153% over the three years.

All iris-recognition systems have some margin of error, because there will always be slight differences between the original iris image — taken to create a digital template when people first enrol in iris-recognition schemes, for example — and those taken later to confirm a person's identity. If irises did not age, the false non-match rate would be expected to remain constant over time, but Bowyer says his results clearly show that this is not the case. “One iris biometric marketing claim has been that the iris allowed ‘a single enrolment for a lifetime’. This claim is now proven to be false,” he says.

The likelihood of software incorrectly matching two irises from different people is around 1 in 2 million (known as the false match rate). Bowyer’s results suggest that the false match rate for a system would increase to 2.5 in 2 million after three years had elapsed. Says Bowyer: “So although you might not really notice the problem after one year or two years, after five or ten years it can become a huge problem.