The auditors attempted to validate claims related to how the “iris code” is handled and communicated to the backend. They report that “we believe the iris code is not written to persistent storage on the Orb and that it is included only in a single request to the Orb’s back end,” and that “[w]hile this configuration can be improved to make it more secure (TOB-ORB-10), it should not be possible for typical attackers to extract the iris code from the Orb’s network traffic; the attacker would have to be in control of one of the trusted certificates.”