Slashdot Mirror

← Back to Stories (view on slashdot.org)

Entering Passwords Through Eye Movement

Posted by Zonk on from the amaze-your-friends-scare-your-mom dept.

Stu Dennison writes "Ars Technica has a post up on a new service called EyePassword. EyePassword is a system that attempts to mitigate the issues of shoulder-surfing via a novel approach to user input: no hands required. With EyePassword, a user enters their password using an on-screen keyboard that detects the orientation of their pupils. From the article: 'The gaze-tracking system functions by shining an invisible infrared beam on a user's face. The beam produces a tiny reflection in the eyes that stays put, no matter where a person looks (provided they do not move their head too much). By tracking the stable position of this reflection and the relative position of a person's pupils, the system is able to calculate which keys or buttons a user wishes to input, and interpret the information accordingly ... more than 80 percent of those tested preferred the EyePassword method. Additionally, when testing EyePassword input using an input method where users visually "dwell" on the characters they wish to input, error rates were comparable to keyboarding.'"

73 comments

  1. My luggage.... by Deltaspectre · · Score: 4, Funny

    Only password I'll use from now on is

    up up down down left right left right wink blink

    --
    My UID is prime... is yours?
    1. Re:My luggage.... by antdude · · Score: 0, Redundant

      Up up down down left right left right wink blink? That's amazing! I've got the same combination on my luggage! ;)

      Note: Quote modified from Spaceballs movie.

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    2. Re:My luggage.... by Anonymous Coward · · Score: 0

      Stealing a joke off a crippled woman, you should be modded -1 shameful.

    3. Re:My luggage.... by antdude · · Score: 1

      What woman? We have women here? [grin]

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    4. Re:My luggage.... by Jarik_Tentsu · · Score: 1

      I'm blind you insensitive clod!

  2. Shoulder surfing isn't the problem by Myria · · Score: 1

    "Shoulder surfing" is usually not the problem. The more common case for stealing passwords is getting a keylogger.

    First eyelogger release in 3, 2, 1...

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
    1. Re:Shoulder surfing isn't the problem by TheRealMindChild · · Score: 1

      The obvious solution is to create an SSH session between the keyboard and the controller.

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    2. Re:Shoulder surfing isn't the problem by anilg · · Score: 1

      Ahh... I await the day cryptography can make coffee and drop kids to school..

      --
      http://dilemma.gulecha.org - My philospohical short film.
    3. Re:Shoulder surfing isn't the problem by smallfries · · Score: 1

      Why is that the obvious solution? Are you mistaking what is required for privacy and what is required for authentication?

      --
      Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
    4. Re:Shoulder surfing isn't the problem by Goaway · · Score: 1

      Why would anyone make a logger for something nobody uses?

    5. Re:Shoulder surfing isn't the problem by davester666 · · Score: 1

      Wouldn't this make shoulder surfing easier? You need to display the keyboard onscreen, large enough to be able to determine which specific key/area of the screen is being viewed, with some sort of feedback indicating that a character has been accepted and which character was accepted [did it accept 'j' or 'k' just now].

      --
      Sleep your way to a whiter smile...date a dentist!
  3. as opposed to what? by clarkn0va · · Score: 5, Funny

    more than 80 percent of those tested preferred the EyePassword method
    ...over the "PeeingOnALargeKeyboard" method.

    db

    --
    I am literally 3000 tokens away from the chaotic crossbow --Stephen
  4. Hmm by Anonymous Coward · · Score: 0

    Maybe a bit clumsy for double letters, punctuation and so on. Maybe additional password policies that would usually decrease security would have to be adopted.

    1. Re:Hmm by derfy · · Score: 5, Funny

      Nah, just turn on StickyEyes. Blink 5 times in a row to turn it on.

    2. Re:Hmm by Konerak · · Score: 3, Funny

      Nice for people who don't know where their keys are.. every time they check, they type.

      And try looking at CTRL-ALT and DEL at the same time :)

  5. Konami Code by Ethanol-fueled · · Score: 0, Redundant

    I wonder if the Konami Code could be adapted to this?

  6. More eye strain typing your homework than reading by ZeroNullVoid · · Score: 2, Funny

    More eye strain typing your homework than reading the gosh darn book.
    IR, isn't that bad for your eyes?
    IR  isn't that bad for your eyes!
    IR  is         bad for your eyes.
    IR, is    that bad for your eyes?

    I have a headache....

  7. An idea by g1zmo · · Score: 4, Funny

    Maybe REM sleep could be used as a random number generator.

    --
    I have found there are just two ways to go.
    It all comes down to livin' fast or dyin' slow.     -REK, Jr.
    1. Re:An idea by rts008 · · Score: 1

      I have a recurring nightmare, you insensitive clod!...There's nothing like always rolling snake eyes to make you believe in Demon Murphy!

      --
      Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
    2. Re:An idea by owlstead · · Score: 1

      I think you are confused, it's Rapid Eye Movement, not Random Eye Movement.

    3. Re:An idea by asCii88 · · Score: 0

      And people can then read your dreams

    4. Re:An idea by zen-theorist · · Score: 1

      Maybe REM sleep could be used as a random number generator.
      nope, i dream about naked girls all the time.
  8. Please replace my mouse! by trawg · · Score: 2, Insightful

    I hope it can be made quite accurate; I've often thought something like this would massively increase my productivity - I'd love to be able to perform tasks without having to take my hand of the keyboard to use the mouse. If I could look at an area of the screen and just hit a key to left/right click it'd make a lot of my common mouse tasks obsolete.

    1. Re:Please replace my mouse! by Anonymous Coward · · Score: 2, Funny

      Why would you have your hands on the keyboard when you can control your web browser with your eyes?!!!

      As they say: two hands are better than one!!

    2. Re:Please replace my mouse! by bluej100 · · Score: 1

      I absolutely agree. It's not like I'd stop using my mouse entirely, but, say, "Focus follows gaze" would save me from a lot of stupid mistakes like sending :q to my boss instead of Vi. It'd also be great for HTML forms. Obviously, there are issues to be dealt with, but I would love to, whenever I'm typing, have it automatically go where I'm looking.

    3. Re:Please replace my mouse! by Anonymous Coward · · Score: 0

      without having to take my hand of the keyboard
      That makes me wonder where the other hand is. Wait, don't tell me, I don't want to know...
    4. Re:Please replace my mouse! by Bloke+down+the+pub · · Score: 1

      I'm David Blunkett, you insensitive clod!!!!

      --
      It's true I tell you, feller at work's next door neighbour read it in the paper.
    5. Re:Please replace my mouse! by Anonymous Coward · · Score: 0

      I bet it'd be quite cool in shooter games too, provided they can track your eyes well enough to see the difference between a headshot and 'a shot in that general direction'.

  9. head has to stay still? by DTemp · · Score: 2, Funny

    Great! Now I won't be able to access my email when I'm drunk!

    1. Re:head has to stay still? by Solra+Bizna · · Score: 1

      Great! Now I won't be able to access my email when I'm drunk!

      You say that like it's a bad thing.

      -:sigma.SB

      --
      WARN
      THERE IS ANOTHER SYSTEM
  10. Hey Linux Devs pay attention... by B5_geek · · Score: 3, Interesting

    I would gladly donate my left kidney to the person who makes this available for "focusing" the active window.

    I LOVE the evolution of "Focus Follows Mouse" but dammit even my Fluxbox isn't fast enough to keep up with where I am looking.

    --
    "The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
    1. Re:Hey Linux Devs pay attention... by C+R+Johnson · · Score: 2, Interesting

      How about a KVM switch that works this way?

      I've been wanting one of those for a while.

      --
      The alternative to limited government is unlimited government.
    2. Re:Hey Linux Devs pay attention... by Thing+1 · · Score: 1

      ? -- Kidney Video Mouse?

      --
      I feel fantastic, and I'm still alive.
  11. Too bad it can easily be hacked... by Datamonstar · · Score: 2, Informative

    ... by a pair of boobies just out of peripheral view.

    --
    The eternal struggle of good vs. evil begins within one's self.
    1. Re:Too bad it can easily be hacked... by Anonymous Coward · · Score: 0

      alternative hack

    2. Re:Too bad it can easily be hacked... by Tablizer · · Score: 1

      I think those who modded me to hell misunderstand that I intended that one *looks* at T&A, not types it on a keyboard.

      --
      Table-ized A.I.
  12. Truly More Secure? by excelblue · · Score: 1

    Is this eye-tracking truly more secure than simply typing on the keyboard? Although you can look over one's shoulder, you can also look at their eye movements. All you have to do is be in a different position. I suppose with a bit of training, one can figure out the eye movements too. Also, since it's slower, it might actually even be easier to read the eyes than the keyboard. People have mastered lipreading, so why won't they master this?

    Also, what would happen if your eyes happened to stray while entering a password? You can never be sure that you're hitting the right keys. The sure only option is to start over if you lose focus. Because there are no keys to guide your eyes, you have to approximate everything. This will take some training.

    1. Re:Truly More Secure? by josh+washington · · Score: 1

      Or instead of lipreading, what about video-conferencing?

      While the webcam is still going, simply record the video stream and trick the person into surfing to a site needing a password.
      Ask them to check your MySpace or send them an Email to read after you've got them on webcam. Or ask them to check your eBay auction from their account..the possibilities are endless.

      Kind of like a keylogger, but much so more simple and convenient in my opinion.

    2. Re:Truly More Secure? by slash.duncan · · Score: 2, Insightful

      The problem for the cracker, however, is that they'd have to have two vantage points at once, one watching the eyes, the other watching the virtual keyboard the eyes were focusing on, to get a position reference on it. Otherwise they'd have roughly the same problem as pupil tracking without the reflected spot, no reference fix. Was that movement a single letter, or to the other side of the keyboard, or somewhere in between? Just observing the eyes could certainly significantly cut down the brute force search space, thereby equally weakening the strength of the password, but it'd be anything but a one for one correspondence. (The reason the software doesn't have this problem is because it is aware of the relative position and size of the virtual keyboard onscreen.)

      One could even deliberately reposition the virtual keyboard after every number of characters, as well, thus further throwing off third party eye monitors.

      What TFA didn't mention, however, even tho it compared with keyloggers, is that presumably this would replace typed input as just another type of input device. As such, one may not even have to modify the keylogger to have access to the character input stream from the eye input device driver, just as it does from the keyboard device driver. A keylogger generally logs the character input stream, not the raw symbol stream, and the character input stream remains the same, no matter what device it's from or how exotic it may be. The only way around that would be a custom vertically integrated application that handles the entire stack monolithically, instead of as components tying into the conventional input stack. That'd be a huge implementation and portability headache, as it would have to be custom developed for each hardware and software combination implementation. Possible, yes, in embedded or limited hardware/software situation such as (say) ATMs, but not generally deployable without running into the conventional keylogger trojan challenges everyone else faces.

      Duncan

      --
      Duncan
      "Every nonfree program has a lord, a master,
      and if you use the program, he is your master."
      R Stallman
    3. Re:Truly More Secure? by cp.tar · · Score: 1

      What I want to know is, when you're already scanning someone's eyes with an infra-red beam, why not just scan their retinas and get it done with? No passwords to remember, and the tech should be quite similar... right?

      --
      Ignore this signature. By order.
    4. Re:Truly More Secure? by DigitAl56K · · Score: 1

      You know what's interesting? This doesn't actually solve the problem of shoulder surfing. It just means that an attacker needs to be in front of you instead of behind you. What makes it even worse is that the same technology that can follow your eye movements can be used by an attacker to automatically record them. Just set up a camera that waits for the IR beam to come on, then using a telescopic lens have some software run exactly the same algorithm as the users local terminal.

      Anyway - I have a bigger question: Who the hell needs this stuff?! Can you not trust your coworkers? Is your box not sitting right under your desk where they could hack it at night anyway? Aren't you on the same LAN as them? Couldn't they just use a network based attack to root your box?

      Unless you work for the NSA a keyboard ought to do just fine.

    5. Re:Truly More Secure? by smallfries · · Score: 1

      So what you're saying is that it can be defeated by building some custom hardware and installing it in the physical location.... oh, much like a keylogger I suppose. So try again, why doesn't this defeat shoulder surfing - the casual swiping of passwords by people who just happen to be in the area.

      --
      Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
    6. Re:Truly More Secure? by ls671 · · Score: 1

      Well, I assume you could mix-up the digits or code to be entered on the display at login time. You would then need two view points to capture everything. One at the screen and one at the user eyes. A lot of digital door looks where you have to enter digits to get in already work that way. They have LEDs behind the keys to display the digits and every time time you need to get in, you need to press different keys because the digits you need to enter have changed location on the keyboard.

      --
      Everything I write is lies, read between the lines.
  13. I hate on-screen keyboards :( by saikou · · Score: 1

    While it's probably nice for user that types in something like MyDogSkip as a password, typing in something location based (for example njio1357vgyu) is way more complicated. Which makes entering "hard" passwords extra-extra hard. Instead of muscle-memory you need to use your mouse to do it "one lick at a time". Yuk.

    --
    Hyperom.com
    1. Re:I hate on-screen keyboards :( by Anonymous Coward · · Score: 1

      You'd just have to find other ways to generate hard passwords that are easy to remember than by the position of the keys on the keyboard, rather obviously since you're not using a keyboard. "Three half-circles from zero to 180 degrees, three half-circles clockwise from 270 degrees to 90 degrees, movement code for Shoryuken in Street Fighter 2" might be a suitable password in this system.

      It's interesting whether using a system like this would cause most people to generate weaker or stronger passwords, though. It could go both ways; on one hand, there are probably no more than nine different symbols to use and there are obvious patterns(circles and partial circles, concatenations of directions and the direction opposite them), but on the other hand, there's no possibility of entering "password" or your girlfriend's name as the password.

  14. Blind people are screwed I guess by GodsBlood · · Score: 1

    and I don't see the likes of a Michael J Fox or Muhammad Ali using this any time soon.

    1. Re:Blind people are screwed I guess by Dachannien · · Score: 2, Funny

      Stephen Hawking: Screw them.

  15. How would I by RandySC · · Score: 3, Funny

    then read the PostIt note attached to my monitor with the password written on it if that action will mistype my password?

    Stuck in a loop and locked out!

    --
    Organization: alphabetical, sometimes numerical or messy
  16. Debit Card Pins? by Anonymous Coward · · Score: 0

    What about at places that accept debit cards. Wouldn't this be ideal for that?

  17. Locked accounts at a model convention by cheros · · Score: 4, Funny

    If you're easily distractable I guess it'll prove a cha - ooh, nice legs ...

    --
    Insert .sig here. Send no money now. Owner may sue, contents will settle. Batteries not included.
  18. Two words by Poromenos1 · · Score: 3, Informative

    Keyboard shortcuts.

    --
    Send email from the afterlife! Write your e-will at Dead Man's Switch.
  19. digital camera shoulder watching by gsmb · · Score: 1

    I would love to test this using a digital camera. You can try 'looking' at the remote ir light yourself by just pointing the camera to it. I imagine if one was to setup a digital movie camera you may well be able to 'see' the ir beams hitting the monitor. kinda more 'security through obscurity'?? Assuming this can work or be adapted (hacked?) to work what of all the 'online security cameras?' puts a new spin on googledorks....

    1. Re:digital camera shoulder watching by slash.duncan · · Score: 1

      You obviously didn't RTFA. The IR beam and its reflection simply serves as a lock on the positioning of the eye in space, allowing a /relative/ comparison of the position of the pupil. Thus the reflection of the IR beam gives you nothing on its own. Even filming the motion of the eye won't give you an absolute fix on the password (tho it could significantly narrow the brute force search domain), since it's looking at a virtual keyboard to do its "typing", and you'd have to have a fix on where that is as well, in ordered to know whether the movement was a single key or a whole keyboard away.

      To make things harder, one could even shift the position of the virtual keyboard every number of characters entered.

      Of course, this doesn't solve the trojan keylogger issue at all (despite what TFA says), since the device driver would presumably enter characters into the same input buffer as a conventional keyboard would. It'd therefore arguably help against shoulder surfing in controlled installations such as ATMs, but couldn't do a thing to secure braindead joe user's passwords, with its hundreds of trojan/spyware/malware installations, because braindead joe simply doesn't have the motivation to care enough about such things to invest the necessary time to defend himself from them, and is in fact quite comfortable in his braindead state, blaming everyone /else/ for the problem.

      Duncan

      --
      Duncan
      "Every nonfree program has a lord, a master,
      and if you use the program, he is your master."
      R Stallman
  20. shift key? by toQDuj · · Score: 1

    I hope they have an expanded keyboard, so I don't have to abandon most characters and upper-case characters.

    I think that's the strength of my password: people can see what I type if they can remember fast enough, but not really understand which character I type in combination with shift ;).

    B.

    --
    Every experiment which ends in a big bang is a good experiment.
  21. But still passwords! by mcrbids · · Score: 3, Informative

    Anybody running an ssh server on a public-facing network that pays any attention at all to their log files knows the problems of passwords.

    The short answer is: they suck. All of them. They are easily compromised and have multiple points of failure: ANYTHING between the human side of the input device and the hash function can be hacked to completely defeat the system.

    In this case, a web-cam (commonly available on most newer laptops, aimed directly at the eyeballs in question) can be used to completely defeat this system if used in conjunction with any other camera in the room, or any screen-scrape capable trojan.

    If, instead, we used a challenge-response system where knowing a particular set of private values enabled for an answer that could be independently verified, the transaction could be sent "in the open" on malicious public networks with relative security.

    Like ssh does when set up with RSA keys. Like your SSL-enabled browser does with any SSL certified site.

    I do something similar with my bike locks - I engrave the combinations to the locks directly on the locks, after hashing them up a bit with a privately known, but simple, math function. I never have to worry about forgetting the combos to the locks, but I also don't have to worry anybody reading the combo - without knowing my (relatively simple) math function, the numbers on the locks are worthless.

    No, I don't expect the average user to deal with a 128-bit key. But most passwords don't even keep pace with an 8-bit key in terms of security.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  22. Level 9 - Snowball by Anonymous Coward · · Score: 0

    almost same as in Snowball text adventure from Level 9

    look at terminal
    [option1] [option2] [option3]
    look at option1
    blink
    [another opt. ...

  23. Video: Already done more than two years ago! by DarkArathorn · · Score: 1
    http://www.youtube.com/watch?v=cUt5o1MJZ20

    The same thing it's at least two years old (presented in Chicago RSNA in 2005!), and patent pending.

    BTW, this company it's a world leader in EyeTracking multimodal CONCRETE application! http://www.srlabs.it/

  24. Nice sample size by Anonymous Coward · · Score: 0
    From the paper:

    To evaluate EyePassword, we conducted user studies with 18 subjects, 9 males and 9 females with an average age of 21.
    Read: A bunch of Stanford undergraduates and grad students (who probably know one of the authors) are on the custom designed and tested prototype with the tool's author in the room in case something goes wrong.

    And 80 percent of them say "Yes your tool is new cool and super." Not very surprising.
  25. Not hopeful by vix86 · · Score: 1

    I'm not expecting to see this any time soon. The paper claims that password entry was on par with keyboard entry and this might be true, but the article doesn't really mention some of the other annoying aspects that go with eye tracking; like calibration. Having worked with eye tracking equipment, this is one of the most frustrating aspects to using it in research or just in general.

    Each person's eye 'takes' a little bit differently to the camera and the IR. Slight head movements, changes in pupil dilation, obstructions (make-up), awkward reflections, and so on; can mess up the calibration and cause the system to think your eye is somewhere else. Compound flaky calibrations on top of unconscious erratic eye movements; it'd be amazing to get a system that would accurately read your input even half the time. It would very likely take a number of tries before you even got your password in correctly.

  26. smile, you're recorded by tilminator · · Score: 1

    If the computer can accurately track my head and eyes when I'm entering passwords, I can do so all the time. Just imagine the privacy issues. Does your boss know if you are distracted or working (frequent eye shifts)? How about recognizing people by their eye movements - biometric identity theft? On the upside, you could use it to reliably research face mimics. Think about how much more $PRODUCT you could sell if you knew exactly which part of the commercial sucks.

    --
    -- up-modding policy: make a good point, write self-contained.
  27. The Assumption of Normal Vision by Dunx · · Score: 1

    I'm wondering if I would be able to use this at all since I have a squint.

    The summary on Ars mentions that the system tracks the relative positions of the pupils so it might work, but if it is calibrated to non-squinty binocular vision then I suspect it wouldn't work for folks like me.

    --
    Dunx
    Converting caffeine into code since 1982
  28. 3 Login failures.. by Anonymous Coward · · Score: 0

    "Use remaining good eye to login."

  29. Recording what you're looking at by Anonymous Coward · · Score: 0

    A few months ago, /. ran an article about recording what you're looking at by the reflection on your eye. It sounds like that would be an effective way to combat "eye passwords" - and is probably how they're implemented, in the first place.

  30. Neck pain by saskboy · · Score: 1

    You can get neck pain from subconsciously not moving your head much for a long time.

    --
    Saskboy's blog is good. 9 out of 10 dentists agree.
  31. Wink and a Nod by Doc+Ruby · · Score: 0, Flamebait

    /rolls eyes

    --

    --
    make install -not war

  32. What if I by iLoveYoyo · · Score: 1

    want to input an upper case letter or a special character like * or &? How many eyes do I have to have to complete these tasks...

  33. Nothing to do with security by umonkey · · Score: 1

    The researchers also note that there are a number of potential applications for EyePassword's approach to visual input that have nothing to do with security.
    They don't say how long will it take for the software to be installed free of charge and without the user's acknowledgement. To steal passwords at worst and to be used by advertisers at best. A necessary evil. But there are innocent applications, indeed, like integration with Flash and other interactive stuff, and this is also interesting, despite everything. I'd even say it's a great way to popularize the technology to use it later with the malicious intent.
  34. More money, less security by ricksmith · · Score: 1

    This is obviuosly a marketing ploy by a company that can track eye movements, and they're looking for a killer app. This isn't it.

    Shoulder surfing is just one of, oh, maybe a dozen ways to hack a password. It's not even the most common.

    If you're going to buy expensive devices for authentication, there are lots of products that actually improve security: SecurID, SafeWord, those guys. Or buy a USB token with embedded challenge-response based on a public/private key pair.

    Passwords and biometrics are both too easy to spoof and replay on networks.

    Rick.

  35. Finally... by thetartanavenger · · Score: 1

    Finally... An alternative to one handed typing...

    --
    Who need's speling and grammar?
  36. A modest proposal by StikyPad · · Score: 1

    $50 says the first password you thought of was Up, Up, Down, Down, Left, Right, Left, Right, Select (Left wink), Start (Right wink).

    $100 says you're trying to do that right now.

    --
    https://www.eff.org/https-everywhere