Morph-a-Dope: Using Pupil Manipulation to Spoof Eye Movement Biometrics

Eye Tracking Authentication — a mechanism where eye movement patterns are used to verify a user’s identity — is increasingly being explored for use as a layer of security in computing systems. Despite being widely studied, there is barely any research investigating how these systems could be attacked by a determined attacker. In particular, the relationship between pupil characteristics and lighting is one that could lead to vulnerabilities in improperly secured systems.This paper presents Morph-a-Dope, an attack that leverages lighting manipulations to defeat eye tracking authentication systems that heavily rely on features derived from pupil sizes. Across 20 attacker-victim pairs, the attack increased the EER by an average of over 50% as compared to the zero-effort attack by the overall population, and as much as 500% for individual victims. Our research calls for a greater emphasis on manipulation-resistant pupil size features or system designs that otherwise avoid such vulnerabilities.

[1]  Jiankun Hu,et al.  Continuous Authentication Using Eye Movement Response of Implicit Visual Stimuli , 2018, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol..

[2]  Tomi Kinnunen,et al.  Towards task-independent person authentication using eye movement signals , 2010, ETRA.

[3]  Tomi Kinnunen,et al.  Eye-Movements as a Biometric , 2005, SCIA.

[4]  H. Lilliefors On the Kolmogorov-Smirnov Test for Normality with Mean and Variance Unknown , 1967 .

[5]  Vir V. Phoha,et al.  Snoop-Forge-Replay Attacks on Continuous Verification With Keystrokes , 2013, IEEE Transactions on Information Forensics and Security.

[6]  Oleg V. Komogortsev,et al.  Biometric identification via eye movement scanpaths in reading , 2011, 2011 International Joint Conference on Biometrics (IJCB).

[7]  Heinrich Hußmann,et al.  Look into my Eyes! Can you guess my Password? , 2009 .

[8]  Michel Pasquier,et al.  Biometric identification using the dynamic features of the eyes , 2013, 2013 IEEE Sixth International Conference on Biometrics: Theory, Applications and Systems (BTAS).

[9]  Ivan Martinovic,et al.  Using Reflexive Eye Movements for Fast Challenge-Response Authentication , 2016, CCS.

[10]  Ivan Martinovic,et al.  Looks Like Eve , 2016, ACM Trans. Priv. Secur..

[11]  Pawel Kasprowski,et al.  Eye Movements in Biometrics , 2004, ECCV Workshop BioAW.

[12]  Joseph H. Goldberg,et al.  Identifying fixations and saccades in eye-tracking protocols , 2000, ETRA.

[13]  B. Sugar,et al.  My View from the Corner: A Life in Boxing , 2007 .

[14]  Jennie E. S. Choi,et al.  Vigor of Movements and the Cost of Time in Decision Making , 2014, The Journal of Neuroscience.

[15]  Michael K. Reiter,et al.  Towards practical biometric key generation with randomized biometric templates , 2008, CCS.

[16]  Ioannis Rigas,et al.  Ieee Transactions on Information Forensics and Security This Is a Pre-print Only 1 , 2022 .

[17]  Sharath Pankanti,et al.  Biometrics: a tool for information security , 2006, IEEE Transactions on Information Forensics and Security.

[18]  Ioannis Rigas,et al.  Biometric Recognition via Eye Movements: Saccadic Vigor and Acceleration Cues , 2016, TAP.

[19]  Marco Porta,et al.  Pupil Size as a Biometric Trait , 2014, BIOMET.

[20]  Alessandra Lumini,et al.  An evaluation of direct attacks using fake fingers generated from ISO templates , 2010, Pattern Recognit. Lett..

[21]  Debin Gao,et al.  I can be You: Questioning the use of Keystroke Dynamics as Biometrics , 2013, NDSS.