An interesting new paper Reducing Shoulder-surfing by Using Gaze-based Password Entry
Shoulder-surfing — using direct observation techniques, such as looking over someone’s shoulder, to get passwords, PINs and other sensitive personal information is a problem that has been difficult to overcome. When a user enters information using a keyboard, mouse, touch screen or any traditional input device, a malicious observer may be able to acquire the user’s password credentials. We present EyePassword, a system that mitigates the issues of shoulder surfing via a novel approach to user input. With EyePassword, a user enters sensitive input (password, PIN, etc.) by selecting from an on-screen keyboard using only the orientation of their pupils (i.e. the position of their gaze on screen), making eavesdropping by a malicious observer largely impractical. We present a number of design choices and discuss their effect on usability and security. We conducted user studies to evaluate the speed, accuracy and user acceptance of our approach. Our results demonstrate that gaze-based password entry requires marginal additional time over using a keyboard, error rates are similar to those of using a keyboard and subjects preferred the gaze-based password entry approach over traditional approaches.
Great idea, and could be done today on iMacs and MacBooks, with their built-in cameras.
Unfortunately, the paper falls-short at testing.
To evaluate EyePassword, we conducted user studies with 18 subjects, 9 males and 9 females with an average age of 21…. Twelve subjects reported that they were touch- typists. On average subjects had 12 years of experience using a keyboard and mouse.
We compared the password entry speed and error rates of three approaches: a standard keyboard for entering a password (Keyboard) to provide a baseline, using EyePassword with dwell- based activation (Gaze+Dwell) and using EyePassword with
trigger-based activation (Gaze+Trigger). In addition, we evaluated two different on-screen layouts for the dwell case:
QWERTY layout and alphabetic layout. At the end of the study we asked subjects to fill out a survey to collect data on the user’s subjective opinion of the techniques.
(the passwords used were): computer, security, apple314, sillycat, Garfield, password, $dollar$, GoogleMap, dinnertime, Chinatown.
That’s a very select group, and probably all college students at Stanford too (although the paper does not say one way or the other, which is an experimental failing). Unfortunately, this means the conclusion that “subjects preferred the gaze-based password entry approach over traditional approaches.” must be taken with a big grain of salt. Actually I’d completely disregard it.
The test passwords are not strong enough. With the test-passwords used, the subjects only use the Shift function 6 times, out of 94 characters that are inputted (94 = 84 password characters + 10 “enter” characters to mark the end of the password). The passwords are mostly recognizable words, occasionally with up to 3 extra characters tacked on. Real passwords shouldn’t look like that. This makes me skeptical of the published speeds and error rates, because many passwords need more capital and special characters to be accepted by a system. The paper did not give me an understanding of how the eye-tracking system could be expected to perform with a password as strong as the one I use for this blog.
But most importantly (to me) there was no testing with a randomized keyboard layout. Without a randomized keyboard, a camera only has to record people’s eye-movements to get their password. A randomized keyboard is necessary for strong security. But the paper gives no data on how this would affect usability. Not even a gross rule-of-thumb, or qualitative advice.
Still, eye-tracking is an interesting idea, and it could do a lot to stop “standard” shoulder surfing, even if it is not effective against an attacker with some hardware.
EDITED TO ADD: another benefit of gaze-based PIN entry is that it is more hygienic. You don’t have to touch a keypad that thousands of other people have touched today. (ATMs near bathrooms are always kinda scary). Input for transactions could also handled only via eye-movement tracking. Obviously for transactions lot more feedback could be provided for the user, making it a very pleasant experience.