Just gaze and wave: exploring the use of gaze and gestures for shoulder-surfing resilient authentication

Eye-gaze and mid-air gestures are promising for resisting various types of side-channel attacks during authentication. However, to date, a comparison of the different authentication modalities is missing. We investigate multiple authentication mechanisms that leverage gestures, eye gaze, and a multimodal combination of them and study their resilience to shoulder surfing. To this end, we report on our implementation of three schemes and results from usability and security evaluations where we also experimented with fixed and randomized layouts. We found that the gaze-based approach outperforms the other schemes in terms of input time, error rate, perceived workload, and resistance to observation attacks, and that randomizing the layout does not improve observation resistance enough to warrant the reduced usability. Our work further underlines the significance of replicating previous eye tracking studies using today's sensors as we show significant improvement over similar previously introduced gaze-based authentication systems.

[1]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[2]  Heinrich Hußmann,et al.  Touch me once and i know it's you!: implicit authentication based on touch screen patterns , 2012, CHI.

[3]  Florian Alt,et al.  GazeTouchPIN: protecting sensitive data on mobile devices using secure multimodal authentication , 2017, ICMI.

[4]  Volker Roth,et al.  See you next time: a model for modern shoulder surfers , 2016, MobileHCI.

[5]  Florian Alt,et al.  Understanding Shoulder Surfing in the Wild: Stories from Users and Observers , 2017, CHI.

[6]  Ian Oakley,et al.  Counting clicks and beeps: Exploring numerosity based haptic and audio PIN entry , 2012, Interact. Comput..

[7]  Heinrich Hußmann,et al.  I Feel Like I'm Taking Selfies All Day!: Towards Understanding Biometric Authentication on Smartphones , 2015, CHI.

[8]  Manfred Tscheligi,et al.  Mid-air Authentication Gestures: An Exploration of Authentication Based on Palm and Finger Motions , 2014, ICMI.

[9]  Tal Garfinkel,et al.  Reducing shoulder-surfing by using gaze-based password entry , 2007, SOUPS '07.

[10]  Florian Alt,et al.  Stay Cool! Understanding Thermal Attacks on Mobile-based User Authentication , 2017, CHI.

[11]  Alexander De Luca,et al.  Patterns in the wild: a field study of the usability of pattern and pin-based authentication on mobile devices , 2013, MobileHCI '13.

[12]  Naoki Tanaka,et al.  One-point calibration gaze tracking based on eyeball kinematics using stereo cameras , 2008, ETRA.

[13]  Heinrich Hußmann,et al.  Using fake cursors to secure on-screen password entry , 2013, CHI.

[14]  Florian Alt,et al.  They are all after you: investigating the viability of a threat model that involves multiple shoulder surfers , 2017, MUM.

[15]  Mario Fritz,et al.  Appearance-based gaze estimation in the wild , 2015, 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[16]  Ramachandra Raghavendra,et al.  Biometric Authentication Protocols on Smartphones: An Overview , 2016, SIN.

[17]  Florian Alt,et al.  Seamless and Secure VR: Adapting and Evaluating Established Authentication Systems for Virtual Reality , 2017 .

[18]  Manfred Tscheligi,et al.  Design and Exploration of Mid-Air Authentication Gestures , 2016, ACM Trans. Interact. Intell. Syst..

[19]  Florian Alt,et al.  GTmoPass: two-factor authentication on public displays using gaze-touch passwords and personal mobile devices , 2017, PerDis.

[20]  Jason I. Hong,et al.  Wave to me: user identification using body lengths and natural gestures , 2014, CHI.

[21]  Alain Forget,et al.  Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords , 2010, CHI.

[22]  Ian Oakley,et al.  The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices , 2011, Tangible and Embedded Interaction.

[23]  Andrea Bianchi Authentication on public terminals with private devices , 2011, Tangible and Embedded Interaction.

[24]  Matthew Smith,et al.  Now you see me, now you don't: protecting smartphone authentication from shoulder surfers , 2014, CHI.

[25]  Alexander De Luca,et al.  Evaluation of eye-gaze interaction methods for security enhanced PIN-entry , 2007, OZCHI '07.

[26]  Michael Weber,et al.  Exploring the design space of graphical passwords on smartphones , 2013, SOUPS.

[27]  Ivan Martinovic,et al.  Using Reflexive Eye Movements for Fast Challenge-Response Authentication , 2016, CCS.

[28]  Mohamed Khamis,et al.  eNGAGE: Resisting Shoulder surfing using Novel Gaze Gestures Authentication , 2018, MUM.

[29]  Heinrich Hußmann,et al.  Easy to Draw, but Hard to Trace?: On the Observability of Grid-based (Un)lock Patterns , 2015, CHI.

[30]  Florian Alt,et al.  CueAuth: Comparing Touch, Mid-Air Gestures, and Gaze for Cue-based Authentication on Situated Displays , 2018, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol..

[31]  Albrecht Schmidt,et al.  Eye-gaze interaction for mobile phones , 2007, Mobility '07.

[32]  Wenyao Xu,et al.  EyeVeri: A secure and usable approach for smartphone user authentication , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[33]  H. Hussmann,et al.  Seamless and Secure VR: Adapting and Evaluating Established Authentication Systems for Virtual Reality , 2017 .

[34]  Heinrich Hußmann,et al.  Look into my Eyes! Can you guess my Password? , 2009 .

[35]  Florian Alt,et al.  GazeTouchPass: Multimodal Authentication Using Gaze and Touch on Mobile Devices , 2016, CHI Extended Abstracts.

[36]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[37]  Stefan Savage,et al.  Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks , 2011, WOOT.

[38]  Heinrich Hußmann,et al.  SwiPIN: Fast and Secure PIN-Entry on Smartphones , 2015, CHI.