Can Contact Lenses Fool Iris Scans in Medical Devices?

Biometric authentication is increasingly used across healthcare environments - from facility access control to workstation login to connected medical device workflows.

Iris recognition is often described as highly secure. But an important question remains:

Can contact lenses fool iris scanners?

Under certain conditions, textured or patterned contact lenses have been used as presentation attacks against some iris recognition implementations. The more important question for medical device manufacturers, however, is not whether spoofing is theoretically possible - but whether biometric authentication is implemented with sufficient controls, validation testing, and lifecycle governance.

How Iris Recognition Systems Work

Iris recognition uses near-infrared imaging to capture the unique texture patterns of a person’s iris. The image is converted into a mathematical template, which is then compared against stored reference templates during authentication.

Core components typically include:

• High-resolution image capture hardware
• Feature extraction algorithms
• Template matching engines
• Presentation Attack Detection (PAD) mechanisms

When properly implemented, iris recognition offers low false acceptance and false rejection rates. However, like all authentication systems, its security depends on implementation details, configuration, and validation rigor.

What Is a Presentation Attack?

A presentation attack occurs when an attacker presents an artificial biometric artifact - such as a photograph, mask, or textured contact lens - to the sensor in an attempt to bypass authentication.

ISO/IEC 30107-3 defines testing and reporting standards for Presentation Attack Detection systems ( ISO/IEC 30107-3).

Research has demonstrated that patterned contact lenses can interfere with or spoof certain iris systems, particularly older or poorly configured implementations. Modern systems incorporate liveness detection controls designed to identify such artifacts.

The takeaway is not that iris recognition is insecure. The takeaway is that biometric authentication requires layered defenses and adversarial validation testing.

Why This Matters in Medical Device Cybersecurity

In regulated healthcare environments, biometric authentication may be used to control access to:

• Medical device configuration interfaces
• Drug dispensing systems
• Clinical workstations
• Remote monitoring portals
• Patient identity verification systems

If biometric authentication is bypassed, degraded, or improperly validated, the impact may include:

• Unauthorized device reconfiguration
• Improper dosage programming
• Exposure of protected health information
• Clinical workflow disruption
• Availability degradation in critical systems

Authentication weaknesses in medical devices are not just IT issues. They can affect safety, effectiveness, and regulatory compliance.

Common Biometric Risk Blind Spots in MedTech

1. Overreliance on Single-Factor Biometrics

Biometrics should not replace layered authentication for high-impact actions. High-risk device functions should require multi-factor authentication where feasible.

2. Inadequate Spoofing Validation

Many verification efforts confirm that authentication works under normal conditions but do not evaluate adversarial presentation attack scenarios.

3. Weak Template Protection

Biometric templates must be securely stored, ideally in hardware-backed secure elements, and protected against extraction, replay, or substitution.

4. Insufficient Monitoring

Repeated failed authentication attempts, abnormal usage patterns, or configuration anomalies should trigger investigation.

Biometric Authentication Under FDA Cybersecurity Expectations

FDA cybersecurity guidance emphasizes lifecycle integration of security controls through a Secure Product Development Framework (SPDF).

Manufacturers using biometric authentication should be prepared to demonstrate:

• Threat modeling that includes spoofing and presentation attack scenarios
• Verification and validation of PAD/liveness detection controls
• Secure storage of biometric templates
• Fallback authentication mechanisms
• Postmarket monitoring and vulnerability response planning

See also: Embedded Cybersecurity Challenges in Medical Devices, IVD Medical Device Cybersecurity Concerns, and MedTech Augmented Reality Cybersecurity.

See FDA’s cybersecurity guidance here: Cybersecurity in Medical Devices (Premarket + QMS Considerations).

Alignment with lifecycle frameworks such as NIST SP 800-218 (Secure Software Development Framework) supports structured implementation and documentation of authentication controls.

Threat Modeling Iris Spoofing in Medical Devices

Effective threat modeling moves beyond “can someone spoof this?” and asks:

• What functions become accessible if authentication is bypassed?
• Is the attacker remote or local?
• Is authenticated misuse possible?
• Are biometric failures logged and reviewed?
• Is there a compensating control if biometrics fail?

This capability-based approach strengthens both engineering decisions and regulatory documentation.

Postmarket Considerations

Security does not end at submission.

Manufacturers should integrate biometric authentication monitoring into postmarket processes, including:

• Vulnerability intake channels
• Coordinated disclosure processes
• Telemetry review and anomaly detection
• Patch and remediation planning

Biometric vulnerabilities, if discovered post-release, must be evaluated through structured risk assessment processes under ISO 14971.

A Safer Model for Biometric Use in Regulated Systems

When using iris recognition or other biometrics in medical devices, consider:

• Multi-factor authentication for high-risk functions
• Hardware-backed secure template storage
• Rate limiting and lockout controls
• Continuous anomaly monitoring
• Documented adversarial testing procedures

Biometrics can improve usability and workflow efficiency. They should not become a single point of failure.

Key Takeaways

• Textured contact lenses have been used in presentation attacks against some iris recognition systems.
• Modern Presentation Attack Detection (PAD) significantly reduces spoofing risk.
• Biometric authentication in medical devices must be threat-modeled and validated.
• FDA expectations require documented lifecycle cybersecurity controls.
• Layered authentication and monitoring are critical in regulated environments.

Table of Contents

• How Iris Recognition Systems Work
• What Is a Presentation Attack?
• Why This Matters in Medical Device Cybersecurity
• Common Biometric Risk Blind Spots in MedTech
• Biometric Authentication Under FDA Cybersecurity Expectations
• Threat Modeling Iris Spoofing in Medical Devices
• Postmarket Considerations
• A Safer Model for Biometric Use in Regulated Systems
• Key Takeaways
• Need Help Evaluating Biometric Security Controls?
• Related FDA & cybersecurity guides

How Blue Goat approaches this

Blue Goat Cyber's medical device practice is led by engineers with CISSP, OSCP, and prior military red-team backgrounds. We treat cybersecurity documentation as design-controlled engineering output, not a submission template, every artifact (threat model, SBOM, security risk assessment, penetration test, labeling) traces back to a controlled requirement and a verified result.

Our engagements deliver the full Feb 3, 2026 guidance documentation set scoped to the device's risk profile, integrated with the existing IEC 62304 software lifecycle and ISO 14971 risk file. See our medical device cybersecurity services for the full scope. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost.

FAQ

Can contact lenses really fool iris scanners?

In certain implementations, textured lenses have interfered with iris recognition systems. Modern systems mitigate this risk using Presentation Attack Detection (PAD).

Are iris scans secure enough for medical devices?

Yes, when implemented with layered controls, adversarial validation testing, and lifecycle governance.

Does FDA specifically regulate biometric authentication?

FDA regulates cybersecurity risk management broadly. Biometric controls must be included in threat modeling, verification evidence, and postmarket processes.

Should biometrics replace passwords in medical systems?

Biometrics can enhance usability but should not replace layered authentication for high-impact or safety-critical actions.

Need Help Evaluating Biometric Security Controls?

If your device uses biometric authentication, validating spoofing resistance, authentication architecture, and lifecycle documentation can reduce regulatory and operational risk.

Book a Discovery Session

Related FDA & cybersecurity guides

• FDA Section 524B cybersecurity requirements explained
• SBOM vulnerability management for medical devices
• VEX document guide for FDA submissions
• FDA deficiency-letter response service
• STRIDE threat modeling for medical devices

About the author

Christian Espinosa, CISSP, Founder, Blue Goat Cyber. Christian leads a team focused exclusively on medical device cybersecurity for FDA premarket submissions and postmarket compliance. Read more about Christian.