GazeMeter: Exploring the Usage of Gaze Behaviour to Enhance Password Assessments

We investigate the use of gaze behaviour as a means to assess password strength as perceived by users. We contribute to the effort of making users choose passwords that are robust against guessing-attacks. Our particular idea is to consider also the users’ understanding of password strength in security mechanisms. We demonstrate how eye tracking can enable this: by analysing people’s gaze behaviour during password creation, its strength can be determined. To demonstrate the feasibility of this approach, we present a proof of concept study (N = 15) in which we asked participants to create weak and strong passwords. Our findings reveal that it is possible to estimate password strength from gaze behaviour with an accuracy of 86% using Machine Learning. Thus, we enable research on novel interfaces that consider users’ understanding with the ultimate goal of making users choose stronger passwords.

[1]  Blase Ur,et al.  "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab , 2015, SOUPS.

[2]  Blase Ur,et al.  Design and Evaluation of a Data-Driven Password Meter , 2017, CHI.

[3]  Paul C. van Oorschot,et al.  Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts , 2014, USENIX Security Symposium.

[4]  Alexander De Luca,et al.  It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception , 2014, SOUPS.

[5]  Joseph H. Goldberg,et al.  Identifying fixations and saccades in eye-tracking protocols , 2000, ETRA.

[6]  Scott Lundberg,et al.  A Unified Approach to Interpreting Model Predictions , 2017, NIPS.

[7]  Daniel Lowe Wheeler zxcvbn: Low-Budget Password Strength Estimation , 2016, USENIX Security Symposium.

[8]  C. Moorehead All rights reserved , 1997 .

[9]  Michele Nappi,et al.  GANT: Gaze analysis technique for human identification , 2015, Pattern Recognit..

[10]  Tal Garfinkel,et al.  Reducing shoulder-surfing by using gaze-based password entry , 2007, SOUPS '07.

[11]  Jiankun Hu,et al.  Continuous Authentication Using Eye Movement Response of Implicit Visual Stimuli , 2018, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol..

[12]  Frank Stajano,et al.  Passwords and the evolution of imperfect authentication , 2015, Commun. ACM.

[13]  Florian Alt,et al.  GazeTouchPass: Multimodal Authentication Using Gaze and Touch on Mobile Devices , 2016, CHI Extended Abstracts.

[14]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[15]  Päivi Majaranta,et al.  CHAPTER 9 – Text Entry by Gaze: Utilizing Eye Tracking , 2007 .

[16]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[17]  Nikolaos M. Avouris,et al.  Towards gaze-based quantification of the security of graphical authentication schemes , 2018, ETRA.

[18]  Florian Alt,et al.  GazeTouchPIN: protecting sensitive data on mobile devices using secure multimodal authentication , 2017, ICMI.

[19]  Clark D. Thomborson,et al.  Passwords and Perceptions , 2009, AISC.

[20]  Marios Belk,et al.  Using Eye Gaze Data and Visual Activities to Infer Human Cognitive Styles: Method and Feasibility Studies , 2017, UMAP.

[21]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[22]  Blase Ur,et al.  Do Users' Perceptions of Password Security Match Reality? , 2016, CHI.

[23]  Elizabeth Stobert,et al.  Expert Password Management , 2015, PASSWORDS.

[24]  Ping Wang,et al.  The Emperor's New Password Creation Policies , 2015, IACR Cryptol. ePrint Arch..

[25]  Darius Vitonis,et al.  Person Identification Using Eye Movements and Post Saccadic Oscillations , 2014, 2014 Tenth International Conference on Signal-Image Technology and Internet-Based Systems.

[26]  Alain Forget,et al.  Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords , 2010, CHI.

[27]  Samuel B. Williams,et al.  ASSOCIATION FOR COMPUTING MACHINERY , 2000 .

[28]  Kumiko Tanaka-Ishii,et al.  Text Entry Systems: Mobility, Accessibility, Universality , 2007 .

[29]  Blase Ur,et al.  A Spoonful of Sugar?: The Impact of Guidance and Feedback on Password-Creation Behavior , 2015, CHI.

[30]  T. Loetscher,et al.  Eye Movements During Everyday Behavior Predict Personality Traits , 2018, Front. Hum. Neurosci..

[31]  Marc Pomplun,et al.  Biometric Identification Through Eye-Movement Patterns , 2017 .

[32]  John M. Henderson,et al.  Predicting Cognitive State from Eye Movements , 2013, PloS one.

[33]  Oleg V. Komogortsev,et al.  Person verification via eye movement-driven text reading model , 2015, 2015 IEEE 7th International Conference on Biometrics Theory, Applications and Systems (BTAS).

[34]  Marios Belk,et al.  Influences of Human Cognition and Visual Behavior on Password Strength during Picture Password Composition , 2018, CHI.

[35]  Mohammad Mannan,et al.  From Very Weak to Very Strong: Analyzing Password-Strength Meters , 2014, NDSS.

[36]  M.D. Leonhard,et al.  A comparative study of three random password generators , 2007, 2007 IEEE International Conference on Electro/Information Technology.

[37]  Alexander De Luca,et al.  Patterns in the wild: a field study of the usability of pattern and pin-based authentication on mobile devices , 2013, MobileHCI '13.

[38]  Andreas Bulling,et al.  Classifying Attention Types with Thermal Imaging and Eye Tracking , 2019, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol..

[39]  Virginio Cantoni,et al.  A Study on Gaze-Controlled PIN Input with Biometric Data Analysis , 2018, CompSysTech.

[40]  Tobias Seitz,et al.  Do Differences in Password Policies Prevent Password Reuse? , 2017, CHI Extended Abstracts.

[41]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[42]  Florian Alt,et al.  The Role of Eye Gaze in Security and Privacy Applications: Survey and Future HCI Research Directions , 2020, CHI.

[43]  Keith S. Karn,et al.  Commentary on Section 4. Eye tracking in human-computer interaction and usability research: Ready to deliver the promises. , 2003 .

[44]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[45]  Caitlin Rinn,et al.  Password creation strategies across high‐ and low‐literacy web users , 2015, ASIST.

[46]  Martin Raubal,et al.  The Index of Pupillary Activity: Measuring Cognitive Load vis-à-vis Task Difficulty with Pupil Oscillation , 2018, CHI.

[47]  Florian Alt,et al.  The past, present, and future of gaze-enabled handheld mobile devices: survey and lessons learned , 2018, MobileHCI.

[48]  Alain Forget,et al.  Persuasion for Stronger Passwords: Motivation and Pilot Study , 2008, PERSUASIVE.

[49]  Gerhard Tröster,et al.  Eye Movement Analysis for Activity Recognition Using Electrooculography , 2011, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[50]  Blase Ur,et al.  Can long passwords be secure and usable? , 2014, CHI.

[51]  Faisal Khan,et al.  Effects of peer feedback on password strength , 2018, 2018 APWG Symposium on Electronic Crime Research (eCrime).

[52]  Mohamed Khamis,et al.  Just gaze and wave: exploring the use of gaze and gestures for shoulder-surfing resilient authentication , 2019, ETRA.

[53]  Evon M. O. Abu-Taieh,et al.  Comparative Study , 2020, Definitions.