Slashdot Mirror
Entering Passwords Through Eye Movement
Stu Dennison writes "Ars Technica has a post up on a new service called EyePassword. EyePassword is a system that attempts to mitigate the issues of shoulder-surfing via a novel approach to user input: no hands required. With EyePassword, a user enters their password using an on-screen keyboard that detects the orientation of their pupils. From the article: 'The gaze-tracking system functions by shining an invisible infrared beam on a user's face. The beam produces a tiny reflection in the eyes that stays put, no matter where a person looks (provided they do not move their head too much). By tracking the stable position of this reflection and the relative position of a person's pupils, the system is able to calculate which keys or buttons a user wishes to input, and interpret the information accordingly ... more than 80 percent of those tested preferred the EyePassword method. Additionally, when testing EyePassword input using an input method where users visually "dwell" on the characters they wish to input, error rates were comparable to keyboarding.'"
Only password I'll use from now on is
up up down down left right left right wink blink
My UID is prime... is yours?
db
I am literally 3000 tokens away from the chaotic crossbow --Stephen
Nah, just turn on StickyEyes. Blink 5 times in a row to turn it on.
More eye strain typing your homework than reading the gosh darn book.
IR, isn't that bad for your eyes?
IR isn't that bad for your eyes!
IR is bad for your eyes.
IR, is that bad for your eyes?
I have a headache....
Maybe REM sleep could be used as a random number generator.
I have found there are just two ways to go.
It all comes down to livin' fast or dyin' slow. -REK, Jr.
I hope it can be made quite accurate; I've often thought something like this would massively increase my productivity - I'd love to be able to perform tasks without having to take my hand of the keyboard to use the mouse. If I could look at an area of the screen and just hit a key to left/right click it'd make a lot of my common mouse tasks obsolete.
Great! Now I won't be able to access my email when I'm drunk!
I would gladly donate my left kidney to the person who makes this available for "focusing" the active window.
I LOVE the evolution of "Focus Follows Mouse" but dammit even my Fluxbox isn't fast enough to keep up with where I am looking.
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
... by a pair of boobies just out of peripheral view.
The eternal struggle of good vs. evil begins within one's self.
then read the PostIt note attached to my monitor with the password written on it if that action will mistype my password?
Stuck in a loop and locked out!
Organization: alphabetical, sometimes numerical or messy
Nice for people who don't know where their keys are.. every time they check, they type.
And try looking at CTRL-ALT and DEL at the same time :)
Stephen Hawking: Screw them.
If you're easily distractable I guess it'll prove a cha - ooh, nice legs ...
Insert
Keyboard shortcuts.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
Anybody running an ssh server on a public-facing network that pays any attention at all to their log files knows the problems of passwords.
The short answer is: they suck. All of them. They are easily compromised and have multiple points of failure: ANYTHING between the human side of the input device and the hash function can be hacked to completely defeat the system.
In this case, a web-cam (commonly available on most newer laptops, aimed directly at the eyeballs in question) can be used to completely defeat this system if used in conjunction with any other camera in the room, or any screen-scrape capable trojan.
If, instead, we used a challenge-response system where knowing a particular set of private values enabled for an answer that could be independently verified, the transaction could be sent "in the open" on malicious public networks with relative security.
Like ssh does when set up with RSA keys. Like your SSL-enabled browser does with any SSL certified site.
I do something similar with my bike locks - I engrave the combinations to the locks directly on the locks, after hashing them up a bit with a privately known, but simple, math function. I never have to worry about forgetting the combos to the locks, but I also don't have to worry anybody reading the combo - without knowing my (relatively simple) math function, the numbers on the locks are worthless.
No, I don't expect the average user to deal with a 128-bit key. But most passwords don't even keep pace with an 8-bit key in terms of security.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
The problem for the cracker, however, is that they'd have to have two vantage points at once, one watching the eyes, the other watching the virtual keyboard the eyes were focusing on, to get a position reference on it. Otherwise they'd have roughly the same problem as pupil tracking without the reflected spot, no reference fix. Was that movement a single letter, or to the other side of the keyboard, or somewhere in between? Just observing the eyes could certainly significantly cut down the brute force search space, thereby equally weakening the strength of the password, but it'd be anything but a one for one correspondence. (The reason the software doesn't have this problem is because it is aware of the relative position and size of the virtual keyboard onscreen.)
One could even deliberately reposition the virtual keyboard after every number of characters, as well, thus further throwing off third party eye monitors.
What TFA didn't mention, however, even tho it compared with keyloggers, is that presumably this would replace typed input as just another type of input device. As such, one may not even have to modify the keylogger to have access to the character input stream from the eye input device driver, just as it does from the keyboard device driver. A keylogger generally logs the character input stream, not the raw symbol stream, and the character input stream remains the same, no matter what device it's from or how exotic it may be. The only way around that would be a custom vertically integrated application that handles the entire stack monolithically, instead of as components tying into the conventional input stack. That'd be a huge implementation and portability headache, as it would have to be custom developed for each hardware and software combination implementation. Possible, yes, in embedded or limited hardware/software situation such as (say) ATMs, but not generally deployable without running into the conventional keylogger trojan challenges everyone else faces.
Duncan
Duncan
"Every nonfree program has a lord, a master,
and if you use the program, he is your master."
R Stallman