Article

Reducing shoulder-surfing by using gaze-based password entry

Authors:

Terry WinogradAuthors Info & Claims

SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security

Pages 13 - 19

https://doi.org/10.1145/1280680.1280683

Published: 18 July 2007 Publication History

Abstract

Shoulder-surfing -- using direct observation techniques, such as looking over someone's shoulder, to get passwords, PINs and other sensitive personal information -- is a problem that has been difficult to overcome. When a user enters information using a keyboard, mouse, touch screen or any traditional input device, a malicious observer may be able to acquire the user's password credentials. We present EyePassword, a system that mitigates the issues of shoulder surfing via a novel approach to user input.

With EyePassword, a user enters sensitive input (password, PIN, etc.) by selecting from an on-screen keyboard using only the orientation of their pupils (i.e. the position of their gaze on screen), making eavesdropping by a malicious observer largely impractical. We present a number of design choices and discuss their effect on usability and security. We conducted user studies to evaluate the speed, accuracy and user acceptance of our approach. Our results demonstrate that gaze-based password entry requires marginal additional time over using a keyboard, error rates are similar to those of using a keyboard and subjects preferred the gaze-based password entry approach over traditional methods.

References

[1]

Apple MacBook iSight camera. Apple Computer: Cupertino, California, USA. http://www.apple.com/macbook/isight.html

[2]

The EyeGaze Communication System, 2007. LC Technologies, Inc.: McLean, Virginia. http://www.eyegaze.com/2Products/Disability/Disabilitymain.htm

[3]

IPRIZE: a $1,000,000 Grand Challenge designed to spark advances in eye-tracking technology through competition, 2006. http://hcvl.hci.iastate.edu/IPRIZE/

[4]

MyTobii Communication Software, 2006. Tobii Technology AB. http://www.tobii.com/default.asp?sid=555

[5]

PassFaces: patented technology that uses the brain's natural power to recognize familiar faces. PassFaces Corporation. http://www.passfaces.com/products/passfaces.htm

[6]

Schlage Scramble Keypad Reader (SERIII-W). Schlage (Ingersoll Rand Security Technologies). http://securitymanagementsystem.schlage.com/documents/readers_SERIII-W.pdf

[7]

Amir, A., M. Flickner, and D. Koons, Theory for Calibration Free Eye Gaze Tracking. 2002, IBM Almaden Research.

[8]

Amir, A., L. Zimet, A. Sangiovanni-Vincentelli, and S. Kao. An Embedded System for an Eye-Detection Sensor. Computer Vision and Image Understanding, CVIU Special Issue on Eye Detection and Tracking 98(1). pp. 104--23, 2005.

Digital Library

[9]

Asonov, D. and R. Agrawal. Keyboard Acoustic Emanations. In Proceedings of IEEE Symposium on Security and Privacy. Oakland, California, USA: IEEE. pp. 3--11, 2004.

[10]

Berger, Y., A. Wool, and A. Yeredor. Dictionary Attacks Using Keyboard Acoustic Emanations. In Proceedings of Computer and Communications Security (CCS). Alexandria, Virginia, USA, 2006.

Digital Library

[11]

Duchowski, A. T., Eye Tracking Methodology: Theory and Practice: Springer. 227 pp. 2003.

Digital Library

[12]

Golle, P. and D. Wagner, Cryptanalysis of a Cognitive Authentication Scheme, International Association for Cryptologic Research, July 31 2006.

[13]

Hansen, D. W., D. MacKay, and J. P. Hansen. Eye Tracking off the Shelf. In Proceedings of ETRA: Eye Tracking Research & Applications Symposium. San Antonio, Texas, USA: ACM Press. pp. 58, 2004.

Digital Library

[14]

Hansen, J. P., K. Torning, A. S. Johansen, K. Itoh, and H. Aoki. Gaze Typing Compared with Input by Head and Hand. In Proceedings of ETRA: Eye Tracking Research & Applications Symposium. San Antonio, Texas, USA: ACM Press. pp. 131--38, 2004.

Digital Library

[15]

Henessey, C., B. Noureddin, and P. Lawrence. A Single Camera Eye-Gaze Tracking System with Free Head Motion. In Proceedings of ETRA: Eye Tracking Research and Applications Symposium. San Diego, California, USA: ACM Press. pp. 87--94, 2006.

Digital Library

[16]

Hoanca, B. and K. Mock. Screen Oriented Technique for Reducing the Incidence of Shoulder Surfing. In Proceedings of International Conference on Security and Management (SAM). Las Vegas, Nevada, USA, 2005.

[17]

Hoanca, B. and K. Mock. Secure Graphical Password System for High Traffic Public Areas. In Proceedings of ETRA -- Eye Tracking Research and Applications Symposium. San Diego, California, USA: ACM Press. pp. 35, 2006.

Digital Library

[18]

Jacob, R. J. K. and K. S. Karn, Eye Tracking in Human-Computer Interaction and Usability Research: Ready to Deliver the Promises, in The Mind's eye: Cognitive and Applied Aspects of Eye Movement Research, J. Hyona, R. Radach, and H. Deubel, Editors. Elsevier Science: Amsterdam. pp. 573--605, 2003.

[19]

Kuhn, M. G., Electromagnetic Eavesdropping Risks of Flat-Panel Displays, in 4th Workshop on Privacy Enhancing Technologies, LNCS. Springer-Verlag: Berlin / Heidelberg. pp. 23--25, 2004.

Digital Library

[20]

Kumar, M., GUIDe Saccade Detection and Smoothing Algorithm. Technical Report CSTR 2007-03, Stanford University, Stanford 2007. http://hci.stanford.edu/cstr/reports/2007-03.pdf

[21]

Kumar, M., Reducing the Cost of Eye Tracking Systems. Technical Report CSTR 2006-08, Stanford University, Stanford, April 2006. http://hci.stanford.edu/cstr/reports/2006-08.pdf

[22]

Kumar, M., A. Paepcke, and T. Winograd. EyePoint: Practical Pointing and Selection Using Gaze and Keyboard. In Proceedings of CHI. San Jose, California, USA: ACM Press, 2007.

Digital Library

[23]

Maeder, A., C. Fookes, and S. Sridharan. Gaze Based User Authentication for Personal Computer Applications. In Proceedings of International Symposium on Intelligent Multimedia, Video and Speech Processing. Hong Kong: IEEE. pp. 727--30, 2004.

[24]

Majaranta, P., A. Aula, and K.-J. Räihä. Effects of Feedback on Eye Typing with a Short Dwell Time. In Proceedings of ETRA: Eye Tracking Research & Applications Symposium. San Antonio, Texas, USA: ACM Press. pp. 139--46, 2004.

Digital Library

[25]

Majaranta, P., I. S. MacKenzie, A. Aula, and K.-J. Räihä. Auditory and Visual Feedback During Eye Typing. In Proceedings of CHI. Ft. Lauderdale, Florida, USA: ACM Press. pp. 766--67, 2003.

[26]

Majaranta, P. and K.-J. Räihä. Twenty Years of Eye Typing: Systems and Design Issues. In Proceedings of ETRA: Eye Tracking Research & Applications Symposium. New Orleans, Louisiana, USA: ACM Press. pp. 15--22, 2002.

Digital Library

[27]

Monrose, F., M. K. Reiter, and S. Wetzel. Password hardening based on keystroke dynamics. International Journal of Information Security 1(2). pp. 69--83, 2002.

[28]

Morimoto, C., D. Koons, A. Amir, and M. Flickner. Pupil Detection and Tracking Using Multiple Light Sources. Image and Vision Computing 18(4). pp. 331--36, 2000.

[29]

Morimoto, C. H., A. Amir, and M. Flickner. Free Head Motion Eye Gaze Tracking Without Calibration. In Proceedings of CHI. Minneapolis, Minnesota, USA: ACM Press. pp. 586--87, 2002.

Digital Library

[30]

Ohno, T. and N. Mukawa. A Free-head, Simple Calibration, Gaze Tracking System That Enables Gaze-Based Interaction. In Proceedings of ETRA: Eye Tracking Research & Applications Symposium. San Antonio, Texas, USA. pp. 115--22, 2004.

Digital Library

[31]

Roth, V., K. Richter, and R. Freidinger. A PIN-Entry Method Resilient Against Shoulder Surfing. In Proceedings of CCS: Conference on Computer and Communications Security. Washington DC, USA: ACM Press. pp. 236--45, 2004.

Digital Library

[32]

RSA Security, I., RSA SecurID Authentication. http://www.rsasecurity.com/node.asp?id=1156

[33]

Simonite, T. Tactile passwords could stop ATM 'shoulder-surfing', New Scientist, October 6, 2006.

[34]

Song, D. X., D. Wagner, and X. Tian. Timing Analysis of Keystrokes and Timing Attacks on SSH. In Proceedings of 10th USENIX Security Symposium. Washington DC, USA: The USENIX Association, 2001.

Digital Library

[35]

Suo, X. and Y. Zhu. Graphical Passwords: A Survey. In Proceedings of Annual Computer Security Applications Conference. Tucson, Arizona, USA, 2005.

Digital Library

[36]

Tan, D. S., P. Keyani, and M. Czerwinski. Spy-Resistant Keyboard: Towards More Secure Password Entry on Publicly Observable Touch Screens. In Proceedings of OZCHI -- Computer-Human Interaction Special Interest Group (CHISIG) of Australia. Canberra, Australia: ACM Press, 2005.

Digital Library

[37]

Thorpe, J., P. C. van Oorschot, and A. Somayaji. Pass-thoughts: authenticating with our minds. In Proceedings of New Security Paradigns Workshop. Lake Arrowhead, California, USA: ACM Press. pp. 45--56, 2005.

Digital Library

[38]

Tobii Technology, AB, Tobii 1750 Eye Tracker, 2006. Sweden. http://www.tobii.com

[39]

Weinshall, D. Cognitive Authentication Schemes Safe Against Spyware (Short Paper). In Proceedings of IEEE Symposium on Security and Privacy. Oakland, California, USA: IEEE, 2006.

Digital Library

[40]

Wiedenbeck, S., J. Waters, L. Sobrado, and J.-C. Birget. Design and Evaluation of a Shoulder-Surfing Resistant Graphical Password Scheme. In Proceedings of AVI. Venezia, Italy: ACM Press. pp. 177--84, 2006.

[41]

Zhu, Z., K. Fujimura, and Q. Ji. Real-Time Eye Detection and Tracking Under Various Light Conditions. In Proceedings of ETRA: Eye Tracking Research & Applications Symposium. New Orleans, Louisiana, USA: ACM Press. pp. 139--44, 2002.

Digital Library

[42]

Zhuang, L., F. Zhou, and J. D. Tygar. Keyboard Acoustic Emanations Revisited. In Proceedings of Computer and Communications Security (CCS). Alexandria, Virgina, USA: ACM Press. pp. 373--82, 2005.

Cited By

Corbett MDavid-John BShang JJi B(2024)ShouldAR: Detecting Shoulder Surfing Attacks Using Multimodal Eye Tracking and Augmented RealityProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/36785738:3(1-23)Online publication date: 9-Sep-2024
https://dl.acm.org/doi/10.1145/3678573
Bhole PLi ZBokolia SOh TTigwell GPeiris R(2024)Haptic2FA: Haptics-Based Accessible Two-Factor Authentication for Blind and Low Vision PeopleProceedings of the ACM on Human-Computer Interaction10.1145/36765098:MHCI(1-20)Online publication date: 24-Sep-2024
https://dl.acm.org/doi/10.1145/3676509
Weiss YVilla SGrootjen JHoppe MKale YMüller F(2024)Exploring Redirection and Shifting Techniques to Mask Hand Movements from Shoulder-Surfing Attacks during PIN Authentication in Virtual RealityProceedings of the ACM on Human-Computer Interaction10.1145/36765028:MHCI(1-24)Online publication date: 24-Sep-2024
https://dl.acm.org/doi/10.1145/3676502
Show More Cited By

Index Terms

Reducing shoulder-surfing by using gaze-based password entry

Recommendations

A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and security

Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
A PIN-entry method resilient against shoulder surfing
CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

Magnetic stripe cards are in common use for electronic payments and cash withdrawal. Reported incidents document that criminals easily pickpocket cards or skim them by swiping them through additional card readers. Personal identification numbers (PINs) ...
Password entry usability and shoulder surfing susceptibility on different smartphone platforms
MUM '12: Proceedings of the 11th International Conference on Mobile and Ubiquitous Multimedia

Virtual keyboards of different smartphone platforms seem quite similar at first glance, but the transformation from a physical to a virtual keyboard on a small-scale display results in user experience variations that cause significant differences in ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security

July 2007

188 pages

ISBN:9781595938015

DOI:10.1145/1280680

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

CyLab

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 July 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SOUPS '07

Sponsor:

SOUPS '07: The third Symposium on Usable Privacy and Security

July 18 - 20, 2007

Pennsylvania, Pittsburgh, USA

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

213
Total Citations
View Citations
2,014
Total Downloads

Downloads (Last 12 months)59
Downloads (Last 6 weeks)5

Reflects downloads up to 09 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Corbett MDavid-John BShang JJi B(2024)ShouldAR: Detecting Shoulder Surfing Attacks Using Multimodal Eye Tracking and Augmented RealityProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/36785738:3(1-23)Online publication date: 9-Sep-2024
https://dl.acm.org/doi/10.1145/3678573
Bhole PLi ZBokolia SOh TTigwell GPeiris R(2024)Haptic2FA: Haptics-Based Accessible Two-Factor Authentication for Blind and Low Vision PeopleProceedings of the ACM on Human-Computer Interaction10.1145/36765098:MHCI(1-20)Online publication date: 24-Sep-2024
https://dl.acm.org/doi/10.1145/3676509
Weiss YVilla SGrootjen JHoppe MKale YMüller F(2024)Exploring Redirection and Shifting Techniques to Mask Hand Movements from Shoulder-Surfing Attacks during PIN Authentication in Virtual RealityProceedings of the ACM on Human-Computer Interaction10.1145/36765028:MHCI(1-24)Online publication date: 24-Sep-2024
https://dl.acm.org/doi/10.1145/3676502
Wan TZhang LXu YGuo ZGao BLiang H(2024)Analysis and Design of Efficient Authentication Techniques for Password Entry with the Qwerty Keyboard for VR EnvironmentsIEEE Transactions on Visualization and Computer Graphics10.1109/TVCG.2024.345619530:11(7075-7085)Online publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1109/TVCG.2024.3456195
Corbett MShang JJi B(2024)GazePair: Efficient Pairing of Augmented Reality Devices Using Gaze TrackingIEEE Transactions on Mobile Computing10.1109/TMC.2023.325584123:3(2407-2421)Online publication date: Mar-2024
https://doi.org/10.1109/TMC.2023.3255841
Kuang LZeng FJiang HLiu DLi JZheng HZhang QMin G(2024)DEyeAuth: A Secure Smartphone User Authentication System Integrating Eyelid Patterns With Eye GesturesIEEE Internet of Things Journal10.1109/JIOT.2024.340778011:18(30069-30083)Online publication date: 15-Sep-2024
https://doi.org/10.1109/JIOT.2024.3407780
M V(2024)SecureGenKeys: Building Secure and Personalized Keypads with Generative AI2024 10th International Conference on Advanced Computing and Communication Systems (ICACCS)10.1109/ICACCS60874.2024.10716821(1416-1421)Online publication date: 14-Mar-2024
https://doi.org/10.1109/ICACCS60874.2024.10716821
Kim HKim CKim CKwak HIm C(2024)New user authentication method based on eye-writing patterns identified from electrooculography for virtual reality applicationsBiomedical Engineering Letters10.1007/s13534-024-00426-815:1(95-104)Online publication date: 15-Sep-2024
https://doi.org/10.1007/s13534-024-00426-8
Price ALoizides F(2024)Allowing for Secure and Accessible Authentication for Individuals with Disabilities of DexterityHuman-Centered Software Engineering10.1007/978-3-031-64576-1_7(133-146)Online publication date: 1-Jul-2024
https://doi.org/10.1007/978-3-031-64576-1_7
Slocum CZhang YAbu-Ghazaleh NChen JCalandrino JTroncoso C(2023)Going through the motionsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620247(159-174)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620247
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents