Look into my Eyes! Can you guess my Password?

July 16, 2009 by Richard Conlan

http://cups.cs.cmu.edu/soups/2009/proceedings/a7-deluca.pdf
Alexander De Luca, Martin Denzel and Heinrich Hussmann

Many password entry systems suffer from weakness against attacks where the attacker can view either the keyboard or screen.  The proposal is to use eye movements for password entry, building off the findings of EyePassword, Eye Gestures, and PassShapes.  The researchers implemented EyePassShapes, in which the user traces a shape by moving their eye between a series of points.  Their prototype used a standard eye tracking system (called ERICA).

In an initial evaluation the researchers included ten participants and examined whether it was easier to trace out EyePassShapes on a dotted background versus a gridded background.  What differences they found were evaluated to be insignificant, so they went with dotted backgrounds.  They then conducted the usability study proper with twenty-four participants using PINs, PassShapes, EyePassShapes, and EyePINs.  The usability was based on the user reports which indicated that PINs were the most usable, followed by PassShapes, with EyePassShapes and EyePINs similarly usable.

They then conducted a security evaluation by allowing an attacker three attempts at breaking each entry attempt.  The attack was a security expect but did not participate in the user study, but was able to view videos of each subject filmed from the front and the side.  The PIN and PassShapes were broken 100% of the time, with EyePassShapes broken 54.5% of the time and EyePIN 41.7% of the time.  It was found that when the EyePassShape was traced as a series of strokes instead of one continues stroke, it was harder to crack.

Finally, they conducted a memorability evaluation.  It was found that EyePassShapes had similar memorability to normal PassShapes.  They only evaluated the memorability of a single shape, and not what would happen if users had multiple shapes to remember.