Reducing Shoulder-surfing by Using Gaze-based Password Entry
July 19, 2007 by Richard Conlanhttp://cups.cs.cmu.edu/soups/2007/proceedings/p13_kumar.pdf
Passwords are generally entered through keyboard, mouse, touch screen, or keypad. All of these are subject to shoulder surfing. The paper proposes using a gaze-based entry method rather than actually having to enter the password on a keypad, which avoids both shoulder-surfing and possibly keystroke logging.
Most approaches to combat shoulder surfing add noise/ambiguity for the observer, but this also typically increases the number of interactions the user has to go through, the cognitive load required, and the time it takes to login. Simpler solutions are available using physical tokens, but such tokens are costly and prone to being lost or stolen. Some solutions propose the use of biometrics, but biometrics are usually non-secret and not revocable. The motivation for gaze-based entry is that a typical adversary can observe the keyboard and screen easily, listen to any sounds emanating from the system, and can observe the user’s head motion. However, it is relatively hard for the attacker to precisely observe user’s eye movements, especially from behind (though there is some concern that as attackers respond to such a system they may develop nefarious eye-tracking systems).
State of the art eye tracking systems tend to run ~$25,000. But iSight cameras are built into the MacBook Pro, and combined with some infared lights this camera is high enough resolution to enable cheap eye tracking! Either way, entry is achieved by having the user look at each character and holding their gaze on each character for about half a second (another option is to use a manual trigger). Research has found such a system works well with all but the thickest glasses and certain types of contact lenses. One limitation is that the keys of the on-screen keyboard must be relatively large; in the study they used 80 pixels per key with 12 pixels between keys.
The study found that gaze-based entry took about 10 seconds vs. 2.5 seconds for keyboard entered passwords. The researchers also found that users preferred a QWERTY on-screen keyboard to an alphabetic one, and that gaze-based vs. triggered entry occurred at about the same speed, though triggered entry surprisingly had a much higher error rate. In an after-study survey >80% of subjects indicated that they would prefer to use gaze-based entry over keyboard entry in a public place and the time to enter the password was irrelevant because they didn’t enter password often enough for it to matter.
For more on gaze-enhanced UI design see GUIDe.