Slashdot Mirror

← Back to Stories (view on slashdot.org)

Entering Passwords Through Eye Movement

Posted by Zonk on from the amaze-your-friends-scare-your-mom dept.

Stu Dennison writes "Ars Technica has a post up on a new service called EyePassword. EyePassword is a system that attempts to mitigate the issues of shoulder-surfing via a novel approach to user input: no hands required. With EyePassword, a user enters their password using an on-screen keyboard that detects the orientation of their pupils. From the article: 'The gaze-tracking system functions by shining an invisible infrared beam on a user's face. The beam produces a tiny reflection in the eyes that stays put, no matter where a person looks (provided they do not move their head too much). By tracking the stable position of this reflection and the relative position of a person's pupils, the system is able to calculate which keys or buttons a user wishes to input, and interpret the information accordingly ... more than 80 percent of those tested preferred the EyePassword method. Additionally, when testing EyePassword input using an input method where users visually "dwell" on the characters they wish to input, error rates were comparable to keyboarding.'"

3 of 73 comments (clear)

  1. Too bad it can easily be hacked... by Datamonstar · · Score: 2, Informative

    ... by a pair of boobies just out of peripheral view.

    --
    The eternal struggle of good vs. evil begins within one's self.
  2. Two words by Poromenos1 · · Score: 3, Informative

    Keyboard shortcuts.

    --
    Send email from the afterlife! Write your e-will at Dead Man's Switch.
  3. But still passwords! by mcrbids · · Score: 3, Informative

    Anybody running an ssh server on a public-facing network that pays any attention at all to their log files knows the problems of passwords.

    The short answer is: they suck. All of them. They are easily compromised and have multiple points of failure: ANYTHING between the human side of the input device and the hash function can be hacked to completely defeat the system.

    In this case, a web-cam (commonly available on most newer laptops, aimed directly at the eyeballs in question) can be used to completely defeat this system if used in conjunction with any other camera in the room, or any screen-scrape capable trojan.

    If, instead, we used a challenge-response system where knowing a particular set of private values enabled for an answer that could be independently verified, the transaction could be sent "in the open" on malicious public networks with relative security.

    Like ssh does when set up with RSA keys. Like your SSL-enabled browser does with any SSL certified site.

    I do something similar with my bike locks - I engrave the combinations to the locks directly on the locks, after hashing them up a bit with a privately known, but simple, math function. I never have to worry about forgetting the combos to the locks, but I also don't have to worry anybody reading the combo - without knowing my (relatively simple) math function, the numbers on the locks are worthless.

    No, I don't expect the average user to deal with a 128-bit key. But most passwords don't even keep pace with an 8-bit key in terms of security.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.