Iris Liveness Detection using a Cascade of Dedicated Deep Learning Networks

Iris pattern recognition has significantly improved the biometric authentication field due to its high stability and uniqueness. Such physical characteristics have played an essential role in security and other related areas. However, presentation attacks, also known as spoofing techniques, can bypass biometric authentication systems using artefacts such as printed images, artificial eyes, textured contact lenses, etc. Many liveness detection methods that improve the security of these systems have been proposed. The first International Iris Liveness Detection competition, where the effectiveness of liveness detection methods is evaluated, was first launched in 2013, and its latest iteration was held in 2020. This paper proposes a serial architecture based on a MobileNetV2 modification, trained from scratch to classify bona fide iris images versus presentation attack images. The bona fide class consists of live iris images, whereas the attack presentation instrument classes are comprised of cadaver, printed, and contact lenses images, for a total of four scenarios. All the images were pre-processed and weighted per class to present a fair evaluation. This proposal won the LivDet-Iris 2020 competition using two-class scenarios. Additionally, we present new three-class and four-class scenarios that further improve the competition results. This approach is primarily focused in detecting the bona fide class over improving the detection of presentation attack instruments. For the two, three, and four classes scenarios, an Equal Error Rate (EER) of 4.04\%, 0.33\%, and 4,53\% was obtained respectively. Overall, the best serial model proposed, using three scenarios, reached an ERR of 0.33\% with an Attack Presentation Classification Error Rate (APCER) of 0.0100 and a Bona Fide Classification Error Rate (BPCER) of 0.000. This work outperforms the LivDet-Iris 2020 competition results.


I. INTRODUCTION
I Ris recognition systems has been shown to be robust over time, affordable, non-invasive, and touchless; these strengths will allow it to grow in the market in the coming years. Iris recognition systems are usually based on nearinfrared (NIR) lighting and sensors, and have been shown to be susceptible to Presentation Attack Instruments (PAI) [1], where PAI refers to a biometric characteristic or object used in a presentation attack. Presentation Attack Detection (PAD) refers to the ability of a biometric system to recognize PAIs, that would otherwise fool the system into recognizing an illegitimate user as a genuine one, by means of presenting a synthetic forged version of the original biometric trait to the capture device. The biometric community, including researchers and vendors, have thrown themselves into the challenging task of proposing and developing efficient protection mechanisms against this threat [2]. PAD methods have been suggested as a solution to this vulnerability. Attacks are not restricted to merely theoretical or academic scenarios anymore, as they are starting to be carried out against real-life operations. One example is the hacking of Samsung Galaxy S8 devices with the iris unlock system, using a regular printer and a contact lens. This case has been reported to the public from hacking groups attempting to get recognition for real criminal cases, including from live biometric demonstrations at conferences 1 .
An ideal PAD technique should be able to detect all of these attacks, along with any new or unknown PAI that may be developed in the future [3].
In order to improve PAD methods, a few competitions and databases have been created, such as the LiveDet-Iris 2 . The goal of the Liveness Detection Competition (LivDet-Iris) is to compare biometric liveness detection methodologies, using a standardized testing protocol and large quantities of attack presentation (spoofed) and bona fide presentation samples. This competition has shown that there are still challenges for the detection of iris presentation attacks, mainly when unknown materials or capture devices are used to generate the attacks [4]. The results show that even with latest advances in presentation attacks, printed iris PAIs, as well as patterned contact lenses PAIs, are still difficult for softwarebased systems to detect according with the quality of the images. In LiveDet2017 [5], Printed iris images were easier to be differentiated from live images in comparison to patterned contact lenses, as it was also shown in the previous competitions. Some properties of the samples (images) are unknown during training, making the challenge a difficult task, as the winning algorithm did not recognize from 11% to 38% of the attack images, depending on the database. Therefore, the PAD techniques are still an open challenge in NIR, and it has been even less explored in VIS periocular images and multiple capture devices.
The results from the LiveDet2020 [4] competition indicate that iris PAD is still far from a fully solved research problem. Large differences in accuracy among baseline algorithms, , and not to contribute to system's False Alarm Rate), and capture as many attacks as possible.
One of the main challenges to improve PAD systems is the quantity and quality of the data available. Printed images are easy to reproduce with different kinds of paper. Conversely, post-morten images [6], and PAIs such as contact lenses, cosmetic lenses, plastic lenses, all sourced from different brands, are hard to get. Therefore a subject-disjoint dataset containing different iris patterns is difficult to achieve. Alternatively, these datasets can be synthetically created using Deep Learning techniques.
Some relevant techniques, such as morphing [7] and Generative Adversarial Network (GAN) [8], can create very realistic images of faces. It is believed that such algorithms can develop synthetic iris images (NIR/VIS) of several PAIs in order to create challenging databases that can help improving the robustness of PAD systems [9].
In this work, a serial, two-stage architecture for classification of bona fide, presentation attack, high-quality printed, and digitally displayed images of LiveDet-2020, plus three complementary databases were explored using deep learning techniques. See Figure 1. The main contributions of this work can be summarized a follows: • Architecture: A serial, two-stage architecture is proposed. This consists of a modified MobileNetV2 model ("Mo-bileNetv2a"), trained from scratch, which is utilized to differentiate between bona fide presentation and presentation attack. A second MobileNet named "MobileNetv2b", trained from scratch for four scenarios, which is then used to detect printed/contact-lenses/cadaver impostor attacks by identifying the physical source of the images. See Figure 1. • Network inputs: A strong set of experiments of serial and parallel structures of DNNs was evaluated with two, three, and four classes, using NIR images. Bona fide versus contact lenses, print-out, cadavers, electronics and prosthetic displays were used as input to the network. Also, separate and exhaustive experiments were realized using one of these four types of input, and the results were analyzed. • Weights: Balanced class weights were used in order to correctly represent the number of images per class. Most of the spoofing databases are unbalanced according to PA scenarios. Weighted classes help to balance the dataset and to get realistic results. • Database: This paper presents two new databases, one database to increase the number of bona fide images (10,000), and a second database to increase the number of printed PAIs with high-quality images (1,800). Both databases will be available to other researchers upon request, for research purposes only (See Section III).
• Data-Augmentation (DA): An aggressive DA technique to train the modified MobileNetV2a and MobileNetV2b networks was used. These images allow the network more challenging scenarios considering blurring, Gaussian noise, coarse occlusion, zoom, and others. • Winning method: Focused on the correct classification of bona fide images instead of the identification of several PAIs, the serial approach presented in this work reached first place in the LiveDet-2020 competition. Furthermore, the current proposal with three and fourth classes outperforms our results presented in the competition, featuring more challenging scenarios. • Not self-reported: The two-stage algorithm presented in this paper was evaluated by the organizers of the competition in an independent test on unknown data; the test data was not available for the participants.

II. RELATED WORK
Zou et al. [9] have presented a novel algorithm, 4DCycle-GAN, for expanding spoofed iris image databases, by synthesizing artificial iris images wearing textured contact lenses. The proposed 4DCycle-GAN follows the Cycle Consistent Adversarial Networks (Cycle-GAN) framework, which translates between one kind of image (bona fide iris images) to another kind (textured contact lenses iris images). Despite the improvements on Conditional Generative Adversial Networks, there are still some open problems that limit its application for image generation. Therefore, the method helps to create and increase the number of images based on conditional GANs while preserving the information in the images of each PAIs in the NIR spectrum.
Hu et al. [10] investigated the use of regional features in iris PAD (RegionalPAD). Features are extracted from local neighborhoods, based on spatial pyramid (multi-level resolution) and relational measures (convolution on features with variablesize kernels). Several feature extractors, such as Local Binary Patterns (LBP) [11], Local Phase Quantization (LPQ) [12], and intensity correlogram are examined. They used a three-scale LBP-based feature, since it achieves the best performance, as pointed out by the original authors.
Gragnaniello et al. [13] proposes that the sclera region also contains important information about iris liveness (SIDPAD). Hence, the authors extract features from both the iris and sclera regions. The two regions are first segmented, and scaleinvariant local descriptors (SID) are applied. A bag-of-feature method is then used to accumulate the features. A linear Support Vector Machine (SVM) is used to perform final prediction. Also, in [14], domain-specific knowledge of iris PAD is incorporated into the design of their model (DACNN). With the domain knowledge, a compact network architecture is obtained, and regularization terms are added to the loss function to enforce high-pass/low-pass behavior. The authors demonstrate that the method can detect both face and iris presentation attacks.
SpoofNets [15] are based on GoogleNet, and consist of four convolutional layers and one inception module. The inception module is composed by layers of convolutional filters of dimension 1×1, 3×3, and 5×5, executed in parallel. It has the advantage of reducing the complexity and improving the efficiency of the architecture, once the filters of dimension 1×1 help reduce the number of features before executing layers of convolution with filters of higher dimensions.
Boyd et al. [16] chose the ResNet50 architecture as a backbone to explore whether iris-specific feature extractors perform better than models trained for non-iris tasks. They demonstrated three types of networks: off-the-shelf networks, fine-tuned, and networks trained from scratch, with five different sets of weights for iris recognition. They concluded that fine-tuning an existing network to the specific iris domain performed better than training from scratch.
Yadav et al. [17], a combination of handcrafted and deeplearning-based features was used for iris PAD. They fused multi-level Haralick features with VGG16 features to encode the iris textural patterns. The VGG16 features were extracted from the last fully connected layer, with a size of 4,096, and then reduced to dimensional vector by Principal Component Analysis (PCA).
Nguyen et al. [18] proposed a PAD method by combining features extracted from local and global iris regions. First, they trained multiple VGG19 [19] networks from scratch for different iris regions. Then, the features were separately extracted from the last fully connected layer, before the classification layer of the trained models. The experimental results showed that the PAD performance was improved by fusing the features based on both feature-level and score-level fusion rules.
Kuehlkamp et al. [20] propose an approach for combining two techniques for iris PAD: CNNs and Ensemble Learning. Extensive experimentation was conducted using the most challenging datasets publicly available. The experiments included cross-sensor and cross-dataset evaluations. Results show a varying ability for different BSIF+CNN representations to capture different aspects of the input images. This method outperform the results presented in the LivDet-Iris 2017 competition.
Our approach, presented in the LivDet-Iris 2020 competition, reached the first place with an the Average Classification Error Rate (ACER) of 29.78%. This method achieved also the lowest Bona Fide Classification Error Rate (BPCER) of 0.46% out of all nine algorithms in the three categories. This paper show the relevance of focusing mainly in the bona fide images as a "first-filter". However, a broad space for improvement was detected in the identification of the PAIs scenarios, specially in cadaver and printed iris images. An Attack Presentation Classification Error Rate (APCER) of 9.87% was reached for the electronic display PAI, which is lower than all competing algorithms (53.08% and 83.95%) by a large margin.
Based on previous results, this current paper proposes a new framework to improve the PAIs performance per scenarios in order to get a strong PAD method.
The rest of the article is organized as follows: Section II summarizes the related works on Presentation Attack Detection. The ISO metrics are explained in Section IV. The database description is explained in Section III. The experimental framework is then presented in Section V, and the results are discussed in Section VI. We conclude the article in Section VII.
III. DATABASES For this work, the LivDet-Iris 2020 competition database was used. In addition, three sets of complementary databases of iris images were also utilized. First, a database of NIR bonafide images, captured using an Iritech TD100 iris sensor with a resolution of 640×480 pixels, called "Iris-CL1". A second database, called "iris-printed-CL1", containing highquality presentation attack images of printed PAIs was created. The goal of this database is to increase the challenge of the printed irises scenario, due to the noticeable visible patterns in the printed images from the LivDet-Iris 2020 database, which makes them trivial to distinguish from bona fide images. See Figure 2. The iris-printed-CL1 database contains 1,800 images captured with two smartphone devices (900 images each one): a Nokia 9 PureView device, with an image resolution of 1280×957 pixels, and a Motorola Moto G4 Play device, with an image resolution of 1280×960 pixels. Only the red channel was used. These new datasets will be available to others researchers upon request. Figure 2 present new images of printed scenarios.
The third database is the Warsaw-BioBase-Post-Mortem-Iris v3.0 database [6]. This database contains a total of 1,094 NIR images (collected with an IriShield M2120U), and 785 visiblelight images (obtained with Olympus TG-3), collected from 42 post-mortem subjects. This database was not fully available for the competition.
The LivDet-Iris 2020 database included five different PAIs, each with a different level of challenge: printed eyes, textured contact lens, electronic display, fake/prosthetic eyes, and printed with add-ons, and a small number of cadaver eyes. The printed image dataset is of a very low resolution. No specific training dataset was prepared for the competition. A total of 11,918 images were made available.
The competition was different from previous editions in regards to the training dataset. the participants were encouraged to use all the data available to them (both publicly available and proprietary) to make their solutions as effective and robust as possible. The entirety of previous LivDet-Iris benchmarks were also made publicly available [21], [22], [5]. Additionally, the competition organizers shared five examples of each PAI (samples which were not used later in evaluations) to help the competitors familiarize themselves with the test data format (pixel resolution, bits per pixel used to code the intensity, etc.). Table I shows a summary of the all databases available for training in LivDet-Iris 2020. The datasets of presentation attack instruments (PAIs) were specifically created for the development of PAD methods. With the evolving of PAIs, the datasets include new challenges. A detailed technical summary of the available datasets can be found in [16], [23].  Table II shows a summary of all datasets available from LivDet-Iris 2020, plus Cadaver images, iris-CL1, and irisprinted-CL2. The new total count of images available is 27,964. This is more than two times the number of images shown in Table I.

A. Unknown Scenarios
An unknown state-of-the-art dataset of spoofed images was used to measure the performance of our proposal [24]. This dataset includes 900 images of textured contact lenses produced by Cooper and J&J (i.e. not represented in the training set of LivDet-Iris 2020) and 900 images of authentic irises. It has been shown that PAD methods do not generalize well to a brand of textured contact lenses not seen in the training data, thus the unknown dataset of spoofed images is used in the context of cross-dataset testing [24].

B. Data Augmentation
An aggressive data augmentation (DA) method was applied when training the modified MobileNetV2 networks. All the images were normalized using a histogram equalization algorithm, and then weighted. A large number of images, with several operations such as affine transformations, perspective transformations, contrast changes, Gaussian noise, random dropout of image regions, hue/saturation changes, cropping/padding, and blurring were included in the train dataset. These DA operations are based on the imgaug library [25], which is optimized for high performance. This improves the quality of the training results by using very challenging images. Examples of some augmented images are shown in Figure 3.

IV. METRICS
The ISO /IEC 30107-3 standard 3 presents methodologies for the evaluation of the performance of PAD algorithms for biometric systems. The APCER metric measures the proportion of attack presentations-for each different PAIincorrectly classified as bona fide (genuine) presentations. This metric is calculated for each PAI, where ultimately the worstcase scenario is considered. Equation 1 details how to compute the APCER metric, in which the value of N P AIS corresponds to the number of attack presentation images, where RES i for the ith image is 1 if the algorithm classifies it as an attack presentation (spoofed image), or 0 if it is classified as a bona fide presentation (real image) [26].  Additionally, the BPCER metric measures the proportion of bona fide (live images) presentations mistakenly classified as attacks presentations to the biometric algorithm, or the ratio between false rejection to total genuine attempts. The BPCER metric is formulated according to equation 2, where N BF corresponds to the number of bona fide (live) presentation images, and RES i takes identical values of those of the APCER metric.
These metrics effectively measure to what degree the algorithm confuses presentations of spoofed images with real images, and vice versa. Furthermore, the Average Classification Error Rate (ACER) is also used. This is computed by averaging the APCER and BPCER metrics, as shown in equation 3. This evaluates the overall system performance.
Note that ACER has been deprecated in ISO/IEC 30.107-3. Only for the purpose of comparing with the state of the art, the ACER was computed.
A Detection Error Trade-off (DET) curve is also reported for all the experiments. In the DET curve, the Equal Error Rate (EER) value represents the trade-off when the APCER is equal to the BPCER. Values in this curve are presented as percentages.

V. METHODOLOGY
In this section, we introduce our baseline by utilizing a finetuned network, and a new network trained from scratch. Then, the detailed description of the used convolutional layers is presented.

A. Networks
MobileNet [27] is based on a streamlined architecture to build lightweight deep neural networks. This allows for usage in environments with limited resources, such as mobile applications, while achieving with state-of-the-art performance for tasks such as classification. A modified MobileNet was used to detect live and spoofed images.
For this work, ImageNet [28] weights were initially used for transfer learning. However, the results of fine-tuning the network would worsen proportionally to the amount of layers that were frozen. Therefore training the networks from scratch resulted in a better classification performance overall. This is explained in more detail in Section VI In addition, two different network architectures are used in this work: MobileNetV2a and a modified MobileNetV2b. Mo-bileNetV2a was trained from scratch, based on bona fide and fake scenarios only, whereas MobileNetV2b was introduced based on live, patterned contact lenses, printed, and cadaver scenarios.

B. Image Pre-processing
All the images in the database were pre-processed using an adaptive histogram algorithm to improve the gray-scale intensity. Later, a weighted factor per each class was applied. Also, a higher number of filters was applied, using MobileNetV2 alpha parameter, from the standard 1.0 up to 1.4. Both methods are leveraged to create a two-stage classifier that can detect bona fide and spoofing scenarios. All the images were resized to 224×224 and 448×448 according to the experiments.

C. Contrast Limited Adaptive Histogram Equalization (CLAHE)
In order to improve the quality of the images and highlight texture-related features, the CLAHE algorithm was applied. This algorithm divides an input image into an M×N grid. Afterwards, it applies equalization to each cell in the grid, enhancing global contrast and definition in the output image. All the images were divided in 8×8 sized cells.

E. Alpha Values
The number of parameters and number of multiply-adds can be modified by using the alpha parameter, which increases/decreases the number of filters in each layer of the MobileNet network. By altering the image size and alpha parameter. This alpha value is known as the width multiplier in the original MobileNet implementation: • If alpha = 1.0, the default number of filters from the original MobileNet paper are used at each layer. • If alpha < 1.0, proportionally decreases the number of filters in each layer. • If alpha > 1.0, proportionally increases the number of filters in each layer.

VI. EXPERIMENT AND RESULTS
The approach presented in this work takes into account the variability of the PA images, and the number of images per class. These images present a problem for the classifier because the PAIs are not equally represented (for instance only five images of cadaver eyes were available for LivDet-Iris 2020). Considering this imbalance, our strategy is primarily focused on classifying bona fide images with high precision first, and attack presentation images second. Therefore, our first approach was training a network with only two classes. Then, a second network was trained from scratch with three and four classes, increasing the number of filters (alpha 1.4) and weighting each class according to the numbers of images per scenario. To study these limitations and improve performance for these aforementioned scenarios, five experiments were developed in order to analyze the best hyperparameter configuration of MobileNetV2. A combination of serial and parallel DNNs was used, trained from scratch. A grid search was used to determine the learning rate, number of epochs, global pooling operation, alpha value, and input size of images. All the experiments employ the CLAHE algorithm and the class weight balancing operation. All the networks were trained with a limit of 200 epochs, using an early stopping method in case the measured performance would stop improving. The image input sizes utilized were 224×224 and 448×448 pixels. All the experiments used the same number of images.

A. Experiment 1
A traditional MobileNetv2 network was used, trained with fine-tunning techniques. Several tests were performed, sequentially freezing an additional MobileNetV2 block in each one, from the bottom of the network to the top. For this experiment the images were grouped in two classes: Live and Fake. The Fake dataset considers the images all PAIs: Contact Lenses (CL), Printout (Pr), Electronic displays (EDs), Prostetic Display (PD) and Cadaver Eyes (CE).

B. Experiment 2
A modified MobileNetv2a network was trained from scratch. For this experiment, the images were again grouped in two classes: BP (Bona fide presentations) and AP (Attack presentation with various PAI). The AP dataset is comprised of all PAI classes: Contact Lenses (CL), Printout (Pr), Electronic displays (EDs), Prostetic Display (PD) and Cadaver Eyes (CE).

C. Experiment 3
For this experiment, a modified MobileNetv2b network was trained from scratch. The images were grouped in three classes this time: Bona fide, Contact lenses (patterned) and Printouts.

D. Experiment 4
A modified MobileNetv2b network were trained from scratch. The images in this experiment were grouped into four classes: Bona fide, Contact lenses, Printouts, and Cadaver.

E. Experiment 5
This experiment evaluated the feasibility of our two-stage proposed method, trained with two classes, to detect unknown attacks presentations over traditional PAI species. In particular, we tackle the challenging scenario where the PAI species remain unknown, and is not part of the PAD algorithm training set. For this experiment, we used the unknown test dataset available from the UND database [24].

F. Results
In this section, we report the best results for each experiment. Adam optimization performed better than SGD and RMSprop. The best initial learning rate was 1 × 10 −5 . Global max pooling performs better than global average pooling. An alpha value of 1.0 performed better with two class scenarios, with an input image size of 224×224, whereas an alpha value of 1.4 with an input image size of 448 × 448 performed better for three and four class scenarios. Table III shows an overview of the results for two class scenarios trained with fine-tuning, and two, three, and four class scenarios trained from scratch. Rows 3 to 7 show the fine-tuning results. Only the results for layers 10, 19, and 28 are included, due to the degradation in performance that was proportional to the amount of bottom layers from the network that were frozen. We infer this is probably because the pretrained ImageNet [28] weights were not trained using images of spoof NIR eyes, or anything similar. Overall, for finetuning, the best results were obtained when freezing only the first MobileNetV2 block (T2212), using Adam optimization, resulting in an APCER of 4.29%, and a BPCER of 3.69%. Figure 4 shows the best result for two class scenarios, trained from scratch. This allows us to focus on identifying BP images versus AP (fake) images. In this figure, a confusion matrix considering these two classes is shown. Additionally, a Detection Error Trade-off (DET) curve is presented. Several approaches were tested, where the best result reaches an EER of only 3.43% (green curve), using an alpha value of 1.4, an initial learning rate of 1 × 10 −5 , and the Adam optimization algorithm. Figure 5 shows the best result for three class scenarios: PA, BP, and Contact Lenses. In this figure, a confusion matrix considering these three classes is shown. Furthermore, a Trade-off (DET) curve is also shown. The best result reaches an EER of only 0.30% (orange curve), using an alpha value of 1.4, an initial learning rate of 1 × 10 −5 , and the Adam optimization algorithm. Figure 6 shows the best result for four class scenarios: BP, Printed, Contact lenses, and Cadaver. Likewise, two confusion matrices, one showing four classes, and the other grouping all PAIs under the "impostor" class, are presented. A Detection Error Trade-off (DET) curve is also shown. The best result for this experiment reaches an EER of only 4.48% (green curve), using an alpha value of 1.4, an initial learning rate of 1×10 −5 , and the Adam optimization algorithm. Figure 7 shows the performance for each PAI for four class scenarios: BP, Printed, Contact lenses, and Cadaver. The best result corresponds to the printed PAI, with a EER of only 0.72% (green curve), whereas the worse PAI performance was for patterned contact lenses (ERR of 4.48%) followed by the cadaver PAI (ERR of 3.88%). Figure 8 shows the performance for unknown species form the UND Database [24]. Our proposal was evaluated with a challenging pattern contact lenses scenario. To that end, eight experiments, according to experiment 1, were evaluated. The leave-one-out protocol was applied, using all of the models of experiment 1, and evaluated with experiment 5. The Equal Error Rates reached are in the range of 2.11% to 12.33%. The best results show the robustness of our method to unknown scenarios. Table IV shows a comparison with the state-of-the-art methods. Our proposal improve the results of the LivDet-Iris 2020 Competition.       Figure 9 shows two Kernel Density Estimation (KDE) plots, in linear and logarithmic scale for the ordinate respectively (the abscissa is shown in linear scale for both), for the best two-classes model (T2057) according to Figure 4, with a EER of 0.30%.

VII. CONCLUSION
Existing studies in the iris presentation attack detection literature are based on the assumption that the system encounters a specific iris presentation attack. However, this may not be the case in real-world scenarios, where the iris recognition system may have to handle multiple kinds of presentation attacks, including unknown scenarios. To address this challenge, we propose a framework focused on detecting live images, which means optimizing the models for a lower BPCER score. For this approach, we developed the largest iris presentation attack database by combining several other databases. This database are also available to other researchers by requests.
Our suggested networks, when trained from scratch, allow us to improve the results of the LivDet-Iris 2020 competition by using more challenging PAIs. When using fine tuning, model performance worsens in proportion to the amount of layers from the network that were frozen. Nonetheless, results using fine tuning are competitive with the literature.
According to our results, an image input size of 224 × 224 is enough for the successful classification of bona fide images. However, for presentation attack instruments, the results were improved when using an image input size of 448 × 448. This shows that the extra detail from higher resolution images contain relevant features for PAIs classification.
Overall the best result reached was with three scenarios, obtaining an APCER 1.00%, a BPCER of 0.00%, and an ACER of 0.50%. These results were obtained using a threshold value of 0.5; for other use cases-for example, biometric verification systems in banking-a more strict operating point could be used, obtaining a lower APCER but higher BPCER. The best model proposed with three classes reached an EER of 0.33%. This work outperforms the LivDet-Iris 2020 competition results, serving as the latest evaluation of iris PAD on a large spectrum of presentation attack instruments.