Conference PaperPDF Available

SafetyPIN: Secure PIN entry through eye tracking

Authors:
Mythreya M. Seetharama at Center of Advanced European Studies and Research
Mythreya M. Seetharama
Volker Paelke at Bremen University of Applied Sciences
Volker Paelke
Carsten Röcker at Fraunhofer Institute of Optronics, System Technologies and Image Exploitation
Carsten Röcker
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

When a user enters a personal identification number (PIN) into an automated teller machine or a point of sale terminal, there is a risk of some one watching from behind, trying to guess the PIN code. Such shoulder-surfing is a major security threat. In order to overcome this problem different PIN entry methods have been suggested. In this regard, gaze interaction methods are receiving attention in recent years, owing to the lowering cost of eye tracking technology. In this paper, we present SafetyPIN - an eye tracking based PIN entry system - which is aimed at making the PIN entry more secure with the help of an eye tracking device. We discuss the implementation and the initial evaluation of this system.
Figures - uploaded by Carsten Röcker
Author content
All figure content in this area was uploaded by Carsten Röcker
Content may be subject to copyright.
Content uploaded by Carsten Röcker
Author content
All content in this area was uploaded by Carsten Röcker on Jun 02, 2016
Content may be subject to copyright.
SafetyPIN: Secure PIN Entry
Through Eye Tracking
Mythreya Seetharama1, Volker Paelke2, and Carsten R¨ocker3(B
)
1Ostwesfalen-Lippe University of Applied Sciences, Lemgo, Germany
2Bremen University of Applied Sciences, Bremen, Germany
3Ostwestfalen-Lippe University of Applied Sciences
and Fraunhofer IOSB-INA, Lemgo, Germany
carsten.rocker@iosb-ina.fraunhofer.de
Abstract. When a user enters a personal identification number (PIN)
into an automated teller machine or a point of sale terminal, there is a
risk of some one watching from behind, trying to guess the PIN code.
Such shoulder-surfing is a major security threat. In order to overcome
this problem different PIN entry methods have been suggested. In this
regard, gaze interaction methods are receiving attention in recent years,
owing to the lowering cost of eye tracking technology. In this paper, we
present SafetyPIN - an eye tracking based PIN entry system - which
is aimed at making the PIN entry more secure with the help of an eye
tracking device. We discuss the implementation and the initial evaluation
of this system.
Keywords: PIN entry ·Eye tracking ·Security ·Usability ·Point of
sale terminals
1 Introduction
The use of PINs (personal identification numbers) as passwords for authenti-
cation is ubiquitous nowadays. This is especially true for banking applications
where the combination of a token (e.g. bank card) and the user’s secret PIN is
commonly used to authenticate transactions. In financial applications PINs are
typically four-digit numbers, resulting in 10000 possible numbers. The security
of the system relies on the fact that an attacker is unlikely to guess the correct
PIN number and that the systems (e.g., Automated Teller Machines) limit the
user to few attempts (e.g., 3) for entering the correct PIN. As most applica-
tions that use PINs for authentication operate in a public setting a common
attack is to try to observe and record a user’s PIN entry (shoulder-surfing).
These security problems have been recognized for a long time and researchers
have proposed a number of different schemes to minimize the risk of PIN entry
observation. One such proposed alternate PIN entry method requires the user
to input some information, which is derived from a combination of the actual
PIN and some additional information displayed by the system, instead of the
c
Springer International Publishing Switzerland 2015
T. Tryfonas and I. Askoxylakis (Eds.): HAS 2015, LNCS 9190, pp. 426–435, 2015.
DOI: 10.1007/978-3-319-20376-8 38
SafetyPIN: Secure PIN Entry Through Eye Tracking 427
PIN itself [1]. Another approach proposes the use of an elaborate hardware to
make PIN entry resilient to the observation attacks [2]. However, these methods
have not been introduced into practical applications because the users would
have to be retrained to use a completely different approach to PIN entry and
the significant additional costs involved in the hardware setup.
In the SafetyPIN project our goal is to prevent observation attacks during
PIN entry while retaining the same workflow that user’s are already familiar with
and with minimal additional hardware cost. Our setup can be easily integrated
into existing designs of automatic teller machines (ATMs) and point of sale
systems. To avoid shoulder-surfing attacks and enable users to enter their PIN
without fear of being observed we have developed a system that employs an eye
tracking device. With SafetyPIN, users select PIN numbers with their eyes by
simply focusing on digits displayed on a screen. Since 0the physical key-press is
not used for the PIN entry, no information about the entered digit is given away
to the attacker through visual observation. Use of fake keypads are also rendered
unnecessary.
The rest of the paper is structured as follows. In Sect. 2, some previous efforts
related to preventing shoulder-surfing and use of eye interaction are mentioned.
In Sect. 3, conceptual approach behind SafetyPIN is explained. Section 4details
the implementation. In Sect. 5, the initial evaluation and the results are dis-
cussed. Section 6concludes the paper.
2 Related Work
Researchers have been evaluating the user gaze as an interaction method using
eye tracking devices. In 1987, Ware et al. [3] evaluated two methods of interacting
with the computers using eyes as input: dwell gaze, look and shoot. The dwell
gaze method relied on the user looking at the region of interest on the screen for
a certain amount of time. In the look and shoot method the user looked at the
region of interest and then physically clicked a predefined button on the keypad
to activate the region. The dwell gaze method needs more time for activation
compared to the look and shoot method, as it needs the dwell time to ensure
that spurious activations are avoided. On the other hand, the look and shoot
method, though quicker, gives away more information for the potential shoulder-
surfer via the button click feedback. Both these methods require calibration to
be performed for the individual user.
Kumar et al. [4] evaluated the above two methods for ATM password entry
to avoid shoulder-surfing. They used the Tobii 1750 eye tracker and a qwerty
alpha numeric keypad for this purpose. The evaluation suggested that these
methods are capable of deterring shoulder-surfers while taking comparable time
for entering password as compared to conventional keypad. They also suggested
that the calibration data for the user can be stored in the ATM card itself so
that it need not be performed every time.
De Luca et al. [5], in addition to the methods above, introduced a gaze-gesture
method of password entry and compared it with the other two methods. In the
428 M. Seetharama et al.
gaze-gesture method the user is required to remember a graphical pattern and
then input that pattern via gesturing through his/her eyes [6,7]. The advantage
of this method is that it requires no calibration as it depends on the relative
position of the eye, not the absolute position. However, it suffers on the usability
front as the users need many retries to get the pattern right.
Other such efforts can be seen in [8,9]. In SafetyPIN, we have implemented a
new activation method called Blinking, along with the other two methods. In this
method, unlike the look and shoot, the user looks at the region he/she wants
to activate and then instead of pressing a key, blinks his/her eyes to activate
the region. This is more secure than the look and shoot, since the feedback
given to the shoulder-surfer via the physical pressing of the button is completely
avoided. This method is also less error prone compared to the gaze method since
the spurious activations are less likely.
3 Conceptual Approach
Our initial prototype runs on a standard Windows PC and uses the Tobii EyeX
low-cost eye tracker. The eye tracker consists of a small bar that can be attached
to a display screen and could be incorporated into an ATM at a later stage. The
sensor bar contains micro-projectors that project distinct patterns of infrared light
at the user’s eyes. The reflections of these patterns are then recorded by infrared
cameras in the sensor bar. Through image processing the user’s eyes are detected
and the eye movements tracked, which is then used to determine the user’s gaze
Fig. 1. 9-digit visual key-pad displayed on the screen, Tobii EyeX eye tracker mounted
below the screen
SafetyPIN: Secure PIN Entry Through Eye Tracking 429
Fig. 2. SafetyPIN hardware components for retrofitting into existing point of sale
terminals
point: the point on the screen that the user’s view currently focuses on. For the
PIN input we display the possible digits on the screen (see Figs. 1and 2).
From the practical perspective a key advantage of the SafetyPIN approach is
that only minimal additional hardware is required which fits easily into existing
terminals. Because the sensor bar is small and placed directly below the screen
it could be integrated into the screen housing of existing terminals, simplifying
the development of new versions with integrated SafetyPIN entry and proving
the opportunity to retrofit existing terminals.
4 Implementation
The prototype is aimed at mocking up a typical ATM PIN entry screen and allow-
ing the user to enter the PIN using three different interaction methods: look and
shoot, gaze activation and blink activation. The GUI is a 1680 ×720 pixel window
with buttons labeled 0–9 along with ‘,’ and ‘.’. The GUI buttons are 160 ×100 pix-
els in dimension with a spacing of 50 pixels between them. The user is supposed
to enter a predefined sequence of numbers as his PIN. The software then checks
for the accuracy and speed of the entered PIN for each of the three entry methods
mentioned above. This software has been developed in VC++.
430 M. Seetharama et al.
initialization;
while Wait for data/events from EyeX do
if coordinates receieved correspond to a GUI button then
if the activation button is pressed then
store the PIN corresponding to the button activated;
end
end
end
Algorithm 1. Algorithm for the Look and Shoot Activation Method
Fig. 3. Sequence diagram for the look and shoot activation method
The Tobii SDK [10] provides drivers for the eye tracking device along with
C/C++ library engine which gives API for interfacing with the device. These
APIs provide functionalities higher than the raw eye position data from the
device. The engine provides two kinds of high level operations. On the one hand
the application program can inform the engine about the boundaries of the
regions that it wants to get activated on. The engine will then intimate the
application program about when the user looks at one the regions specified.
SafetyPIN: Secure PIN Entry Through Eye Tracking 431
initialization;
while Wait for data/events from EyeX do
if coordinates receieved correspond to a GUI button then
if gaze event notification is received for the current GUI button then
store the PIN corresponding to the button activated;
end
end
end
Algorithm 2. Algorithm for the Gaze Activation Method
Fig. 4. Sequence diagram for the gaze activation
This scheme relieves the application program from having to poll the incoming
raw position data from the device. On the other hand, the application program
can register for one of the many events for which it would like to get notifications
on. For example, when the user looks at a region for more than half a second a
gaze event can be notified and when the device does not see the user’s eyes for
more than a second an absence event can be notified to the application program
depending on whether the application program has registered for the event or
not. These notifications are used in our GUI application program.
432 M. Seetharama et al.
The three different methods of activation are described below with the help
of pseudo-code and sequence diagrams.
4.1 Look and Shoot
The sequence diagram in Fig. 3shows the three major modules of the soft-
ware and gives an overview of their interactions. The GUI interacts with the
EyeX Engine using an EyeX Interface module. The GUI initializes the windows
and button components and sends the coordinates of the buttons to the EyeX
Interface, which in turn requests the EyeX Engine for the periodic eye position
updates. The EyeX Engine is directly communicating with the controller device.
Upon receiving the position coordinates from the EyeX Engine, the EyeX Inter-
face checks whether the position where the user is currently looking falls within
the bounds of any buttons or not. If so, it requests the EyeX Engine to inti-
mate it when the predefined activation button, right control key in this case,
is pressed. Once this activation event is received, the EyeX Interface sends the
message to the GUI with the button number to be activated. The GUI, upon
receiving this message stores the activated PIN. Algorithm 1 depicts this process
in a pseudo-code fashion.
4.2 Gaze Activation
Figure 4shows the interaction for the gaze activation method. The major differ-
ence in this case is that upon receiving the position coordinates from the EyeX
Engine, the EyeX Interface requests for the gaze event notification after per-
forming the bounds check. EyeX Engine produces this notification if the user
stares at the same region for more than half a second. But this time was found
to be too small and lead to spurious activations. Therefore, the gaze time was
increased to more than a second by validating it in the EyeX Interface. After
this, the message is passed onto the GUI from the EyeX Interface module.
4.3 Blink Activation
Figure 5shows the interaction for the blink activation method. The major differ-
ence in this case is that upon receiving the position coordinates from the EyeX
initialization;
while Wait for data/events from EyeX do
if coordinates receieved correspond to a GUI button then
temporarily remember this GUI button;
if user absence event notification is received then
if user presence event notification received then
store the PIN corresponding to the button remembered;
end
end
end
end
Algorithm 3. Algorithm for the Blink Activation
SafetyPIN: Secure PIN Entry Through Eye Tracking 433
Fig. 5. Sequence diagram for the blink activation
Engine, the EyeX Interface requests for the ‘user absence’ notification after per-
forming the bounds check and temporarily saving the button number. EyeX
Engine produces this notification if the device fails to see the eyes of the user
for more than a second. Therefore, if the user closes his eyes for a second, he
effectively becomes absent for the device, producing the required notification.
Upon receiving this notification, EyeX Interface requests for the ‘user presence’
notification, effectively waiting for the user to open his eyes again, thus perform-
ing a blink operation. Once the user opens his eyes the EyeX Engine sends the
required notification and the EyeX Interface sends the component number of the
saved button to the GUI.
434 M. Seetharama et al.
Fig. 6. Usability test with the user in front of the prototype system
5 Evaluation
In the initial user tests, we have examined both the technological aspects like
the impact of calibration errors, the impact of glasses and other eyeware, prac-
tical usability aspects like error rates and user satisfaction, as well as the user’s
perception of safety and security aspects.
The test was performed for 9 users, where each user was given a command
sequence of 12 digit PIN to be entered using the eye tracker (see Fig. 6). This
test was performed for all three activation methods, four times per activation
method. The PIN entered by the user was stored and then compared with the
command PIN to find out how many errors occurred. Time taken by the users
for the test was also recorded. After the tests were completed, the users were
given a questionnaire to collect the feedback from the users regarding how usable
and useful did they feel the system was. Their feedback on the safety was also
recorded.
Results of these tests have been very encouraging in all the three activation
methods. The average error rate was around 5% and the average time taken
was around 1.6 s per a digit entry or around 6.7 s for a typical 4 digit PIN entry.
Most of the errors were committed by the users when they did not remember
the correct PIN and therefore entered the wrong PIN, rather than activating an
unintentional PIN. Users felt that the system was easy to use and that this was
a safer way to enter their pin compared to the traditional pin entry method. To
SafetyPIN: Secure PIN Entry Through Eye Tracking 435
draw statistically significant conclusions, we need to perform further tests with
larger sample set.
6 Conclusions
In order to protect the users from shoulder-surfing in ATMs while entering the
PIN, new methods of entering the PIN are being evaluated. With the eye track-
ing technology becoming cheaper, eye interaction for PIN entry is emerging as
a practical solution. In this paper, we have discussed SafetyPIN, which pro-
poses retrofitting the ATMs with an eye tracking device, so that users can enter
their PIN without using the keypad for pin entry. In our prototype, we have
implemented and evaluated the system for a PC. In addition to the ‘look and
shoot’ and gaze activation methods, we have introduced a new activation method
called blink activation. Initial user evaluations have yielded encouraging results,
prompting further work.
References
1. Roth, V., Richter, K., Freidinger, R.: A PIN-entry method resilient against shoulder
surfing. In: Proceedings of the ACM conference on Computer and communications
security (CCS 2004), New York pp. 236–245 (2004)
2. Sasamoto, H., Christin, N., Hayashi, E.: Undercover: authentication usable in front
of prying eyes. In: Proceedings of the SIGCHI Conference on Human Factors in
Computing Systems (CHI 2008), Florence, pp. 183–192 (2008)
3. Ware, C., Mikaelian, H.: An evaluation of an eye tracker as a device for computer
input. In: Proceedings of CHI 1987, Toronto (1987)
4. Kumar, M., Garfinkel, T., Boneh, D., Winograd, T.: Reducing shoulder-surfing by
using gaze-based password entry. In: Proceedings of the 3rd Symposium on Usable
Privacy and Security, pp. 13–19. ACM (2007)
5. De Luca, A., Weiss, R., Drewes, H.: Evaluation of eye-gaze interaction methods for
security enhanced PIN-entry. In: Proceedings of the 19th Australasian Conference
on Computer-human Interaction: Entertaining User Interfaces, pp. 199–202. ACM
(2007)
6. Drewes, H., Schmidt, A.: Interacting with the computer using gaze gestures. In:
Baranauskas, C., Abascal, J., Barbosa, S.D.J. (eds.) INTERACT 2007. LNCS, vol.
4663, pp. 475–488. Springer, Heidelberg (2007)
7. Drewes, H., De Luca, A., Schmidt, A.: Eye-gaze interaction for mobile phones. In:
Proceedings of the 4th International Conference on Mobile Technology, Applica-
tions, and Systems and the 1st International Symposium on Computer Human
Interaction in Mobile Technology, pp. 364–371. ACM (2007)
8. Forget, A., Chiasson, S., Biddle, R.: Shoulder-surfing resistance with eye-gaze entry
in cued-recall graphical passwords. In: Proceedings of the SIGCHI Conference on
Human Factors in Computing Systems, pp. 1107–1110. ACM (2010)
9. Dunphy, P., Fitch, A., Olivier, P.: Gaze-contingent passwords at the ATM. In: 4th
Conference on Communication by Gaze Interaction (COGAIN), pp. 59–62 (2008)
10. Tobii EyeX SDK for C/C++, Developer’s Guide. Tobii Technology (2014)
... For example, Kumar et al. [93] proposed one of the first gaze-based authentication schemes where users fixated characters on an on-screen keyboard and then pressed the space button to select them. The same scheme was used on ATMs by Seetharama et al. [142]. Similar work was also done by Kasprowski et al. [63] who used gaze for pointing at PINs and confirmed selection by pressing a key. ...
The Role of Eye Gaze in Security and Privacy Applications: Survey and Future HCI Research Directions
Conference Paper
Full-text available
  • Apr 2020
For the past 20 years, researchers have investigated the use of eye tracking in security applications. We present a holistic view on gaze-based security applications. In particular, we canvassed the literature and classify the utility of gaze in security applications into a) authentication, b) privacy protection, and c) gaze monitoring during security critical tasks. This allows us to chart several research directions, most importantly 1) conducting field studies of implicit and explicit gaze-based authentication due to recent advances in eye tracking, 2) research on gaze-based privacy protection and gaze monitoring in security critical tasks which are under-investigated yet very promising areas, and 3) understanding the privacy implications of pervasive eye tracking. We discuss the most promising opportunities and most pressing challenges of eye tracking for security that will shape research in gaze-based security applications for the next decade.
View
... Thus, for entering a four-digit PIN, six dwells are required, making the interaction slow. Seetharama et al. [33] replaced dwell with blink activation, whereby the user closed their eyes for a second to confirm digit selection. However, blink-based selection is slow and unnatural for end users [23]. ...
TouchGazePath: Multimodal Interaction with Touch and Gaze Path for Secure Yet Efficient PIN Entry
Conference Paper
Full-text available
  • Oct 2019
We present TouchGazePath, a multimodal method for entering personal identification numbers (PINs). Using a touch-sensitive display showing a virtual keypad, the user initiates input with a touch at any location, glances with their eye gaze on the keys bearing the PIN numbers, then terminates input by lifting their finger. TouchGazePath is not susceptible to security attacks, such as shoulder surfing, thermal attacks, or smudge attacks. In a user study with 18 participants, TouchGazePath was compared with the traditional Touch-Only method and the multimodal Touch+Gaze method, the latter using eye gaze for targeting and touch for selection. The average time to enter a PIN with TouchGazePath was 3.3 s. This was not as fast as Touch-Only (as expected), but was about twice as fast the Touch+Gaze. TouchGazePath was also more accurate than Touch+Gaze. TouchGazePath had high user ratings as a secure PIN input method and was the preferred PIN input method for 11 of 18 participants.
View
... Seetharama et al. [38] proposed a look-and-shoot method where the user ixates on the digit and selects it by clicking on a button, however, this approach depends strongly on the accuracy of the tracking device. Moreover, no study on the target size was performed by the author for proper activation as in [16]. ...
Path Word: A Multimodal Password Entry Method for Ad-hoc Authentication Based on Digits' Shape and Smooth Pursuit Eye Movements
Conference Paper
  • Oct 2018
We present PathWord (PATH passWORD), a multimodal digit entry method for ad-hoc authentication based on known digits shape and user relative eye movements. PathWord is a touch-free, gaze-based input modality, which attempts to decrease shoulder surfing attacks when unlocking a system using PINs. The system uses a modified web camera to detect the user's eye. This enables suppressing direct touch, making it difficult for passer-bys to be aware of the input digits, thus reducing shoulder surfing and smudge attacks. In addition to showing high accuracy rates (Study 1: 87.1% successful entries) and strong confidentiality through detailed evaluations with 42 participants (Study 2), we demonstrate how PathWord considerably diminishes the potential of stolen passwords (on average 2.38% stolen passwords with PathWord vs. over 90% with traditional PIN screen). We show use-cases of PathWord and discuss its advantages over traditional input modalities. We envision PathWord as a method to foster confidence while unlocking a system through gaze gestures.
View
Medusa3D: The Watchful Eye Freezing Illegitimate Users in Virtual Reality Interactions
Article
  • Sep 2024
The remarkable growth of Virtual Reality (VR) in recent years has extended its applications beyond entertainment to sectors including education, e-commerce, and remote communication. Since VR devices contain user's private information, user authentication becomes increasingly important. Current authentication systems in VR, such as password-based or static biometric-based methods, are either cumbersome to use or vulnerable to attacks such as shoulder surfing. To address these limitations, we propose Medusa3D, a challenge-response authentication system for VR based on reflexive eye responses. Unlike existing methods, reflexive eye responses are involuntary and effortless, offering a secure and user-friendly credential for authentication. We implement Medusa3D on an off-the-shelf VR and conduct evaluations with 25 participants. The evaluation results show that Medusa3D achieves 0.21% FAR and 0.13% FRR, demonstrating high security under various ocular conditions and resilience against attacks such as zero-effort attack, replay attack, and mimicry attack. A user study indicates that Medusa3D is user-friendly and well-adopted among participants.
View
Gaze Buttons Revisited.Looking for an Effective Way of "Clicking" without the Mouse
Article
  • Oct 2022
The fundamental problem for designing a gaze-based human-computer interaction is related to development of an effective method for activating graphical user interface elements by means of gaze only. Such a method should be easy for the user to apply, however at the same time, it requires eye movements that are clearly different from the natural behavior of the eye. We examined three methods of button activation by gaze, looking for the most effective way of gaze "clicking". These were: 1) the most standard method based on the use of dwell-time, 2) its modification based on detection of fixation located inside the buttons area and 3) and the most novel method based on gaze gestures consisting of movement into the button area and outward movement in the approximately opposite direction. We compared these gaze control methods under homogeneous conditions, which allows for a more reliable assessment of their relative usefulness. Two layouts of buttons were used: arranged on a grid, like on a telephone pad, and on a circle with an empty center. The experimental task was to enter a set of four-digit PINs using a set of gaze buttons corresponding to ten digits. A group of novices were instructed to use all the three methods and both button layouts (six experimental conditions). The activation methods were compared in terms of system usability, objectively measured by the PIN entry speed and the number of errors, as well as using a subjective SUS questionnaire. The system based on gaze gestures was worse in both measures; however, it had its followers. The method based on fixation detection instead of dwell-time did not significantly increase the entry speed due to the greater number of errors caused by non-intentional buttons activation. The circle layout turned out to be generally more convenient than the telephone pad layout.
View
Usability in Automated Teller Machines Interfaces: A Systematic Literature Review
Chapter
Full-text available
  • Jun 2022
  • Lect Notes Comput Sci
Due to technological progress, financial institutions have included ATMs as one of their main channels as a way to decentralize their services. However, there is a gap between user expectations and their perceptions regarding what ATM interfaces offer. As a result, several users feel dissatisfied after using ATMs and many times this dissatisfaction is related to the difficulty of use, design flaws and the fact of committing many errors when interfaces have a low degree of usability. In this sense, in this study we present a Systematic Literature Review (SLR) about usability on ATM interfaces. With this study, we want to understand the current situation of the problems mentioned before, so we seek to know the problems and challenges that have been presented lately for these electronic media, as well as the solutions that have addressed these problems, and the techniques and methods used to carry out these designs or redesigns. For this, the protocol proposed by Kitchenham was followed. Scopus, ACM Digital Library, Alicia and IEEE Digital Library were searched, and finally 51 papers were selected as relevant. With this information it was possible to identify and analyze challenges, usability issues, usability evaluations, and techniques and methods used to carry out designs or redesigns, as well as case studies of designs or redesigns in the ATM domain. We found that this topic is being developed in recent years, that there are common challenges encountered, and that designs, redesigns and usability evaluations have been carried out in this domain under different methods, techniques and frameworks. However, several of these usability issues persist today.
View
View
A systematic review of PIN-entry methods resistant to shoulder-surfing attacks
Article
  • Nov 2020
  • COMPUT SECUR
Although conventional PIN-entry methods are widely used in many daily authentication procedures, they are highly susceptible to shoulder-surfing attacks. A plethora of PIN-entry methods have been proposed in the literature to mitigate such attacks. Unfortunately, none of these methods is capable of replacing the conventional PIN-entry method. This study presents the results of a systematic review of PIN-entry methods resistant to shoulder- surfing attacks so that the main challenges that impede their adoption can be provided along with opportunities for future research. A systematic search was conducted on seven databases using predefined criteria. A test–retest approach was performed by a single author to extract data. A total of 55 articles were included in this review. The review results man- ifest that PIN-entry methods are classified mainly into direct and indirect inputs. The user study was the standard research method, and error rate and PIN-entry time were the most frequently adopted usability measures. The review argues that a recording-based shoulder- surfing attack is a major threat to PIN-entry methods. Error rate and PIN-entry time are widely adopted criteria for usability. The review indicates that most PIN-entry methods re- quire a high error rate and PIN-entry time than the conventional method. Moreover, the lack of a standard evaluation framework should be addressed.
View
Gaze Usages, Analysis and Interaction
Thesis
  • Nov 2019
Eye-tracking tools estimate the locations in a scene where a user is fixating on. They are used in various domains including human-computer interaction (HCI) and learning transfer. As an example, gaze-based text entry allows interacting with computing systems remotely without touching the interface. They are also used to comprehend the visual behaviors of a pilot searching for information in a cockpit. However, a number of barriers still exists and makes these devices less accurate and difficult to use in daily activities. One of these problems is the shift between the actual and the estimated position of the user’s point-of-regard, which systematically comes from the eye-tracking systems’ accuracy. Following recent advances, there is an increasing interest in affordable systems that have the potential to be more accurate and, researchers are continually investigating novel approaches.This thesis covers different issues of eye movement research. It proposes the use of novel approaches as a step towards overcoming these accuracy issues. More specifically, we introduce novel strategies for detecting mapping functions for gaze estimation and calibration-free gaze interaction. In addition to proposing frameworks and strategies for improving accuracy, new calibration procedures and patterns are also revealed and discussed. In this thesis, we address these issues in three different ways: calibration and mapping functions, Human-computer Interaction using the eyes, visualization and exploration. We present four main contributions. First, we present a new method for calibrating state-of-the-art eye trackers with better accuracy. Second, we present a new gaze-based authentication method which works without any prior calibration, and can be extended to any alphanumeric-based input modality. Third, we present an uncertainty visualization approach. Finally, a method of analyzing eyemovements data and aircraft trajectories using a novel brushing technique is proposed.
View
Gaze-contingent passwords at the ATM
Article
Full-text available
  • Jan 2008
Knowledge-based authentication (e.g. passwords) has long been associated with a vulnerability to shoulder surfing; being stolen by attackers overlooking the interaction. In order to combat such threats, steps can be taken to either alter the form of the challenge made to the user, or make use of an interaction technique that is resistant to information leakage. We consider the latter, and empirically evaluate the
View
Undercover: Authentication usable in front of prying eyes
Conference Paper
Full-text available
  • Apr 2008
A number of recent scams and security attacks (phishing, spyware, fake terminals, ...) hinge on a crook's ability to ob- serve user behavior. In this paper, we describe the design, implementation, and evaluation of a novel class of user au- thentication systems that are resilient to observation attacks. Our proposal is the first to rely on the human ability to si- multaneously process multiple sensory inputs to authenti- cate, and is resilient to most observation attacks. We build a prototype based on user feedback gained through low fi- delity tests. We conduct a within-subjects usability study of the prototype with 38 participants, which we complement with a security analysis. Our results show that users can authenticate within times comparable to that of graphical password schemes, with rel- atively low error rates, while being considerably better pro- tected against observation attacks. Our design and evalua- tion process allows us to outline design principles for obser- vation-resilient authentication systems. Author Keywords Usability, Security, Multisensory processes
View
Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords
Conference Paper
Full-text available
  • Apr 2010
We present Cued Gaze-Points (CGP) as a shoulder-surfing resistant cued-recall graphical password scheme where users gaze instead of mouse-click. This approach has several advantages over similar eye-gaze systems, including a larger password space and its cued-recall nature that can help users remember multiple distinct passwords. Our 45-participant lab study is the first evaluation of gaze-based password entry via user-selected points on images. CGP's usability is potentially acceptable, warranting further refinement and study.
View
Evaluation of eye-gaze interaction methods for security enhanced PIN-entry
Conference Paper
Full-text available
  • Nov 2007
Personal identification numbers (PINs) are one of the most common ways of electronic authentication these days and used in a wide variety of applications, especially in ATMs (cash machines). A non-marginal amount of tricks are used by criminals to spy on these numbers to gain access to the owners' valuables. Simply looking over the victims' shoulders to get in possession of their PINs is a common one. This effortless but effective trick is known as shoulder surfing. Thus, a less observable PIN entry method is desirable. In this work, we evaluate three different eye gaze interaction methods for PIN- entry, all resistant against these common attacks and thus providing enhanced security. Besides the classical eye input methods we also investigate a new approach of gaze gestures and compare it to the well known classical gaze-interactions. The evaluation considers both security and usability aspects. Finally we discuss possible enhancements for gaze gestures towards pattern based identification instead of number sequences.
View
Interacting with the Computer Using Gaze Gestures
Conference Paper
Full-text available
  • Sep 2007
  • Lect Notes Comput Sci
This paper investigates novel ways to direct compu ters by eye gaze. Instead of using fixations and dwell times, this wo rk focuses on eye motion, in particular gaze gestures. Gaze gestures are insensi tive to accuracy problems and immune against calibration shift. A user study indi cates that users are able to perform complex gaze gestures intentionally and inv estigates which gestures occur unintentionally during normal interaction wit h the computer. Further experiments show how gaze gestures can be integrated into working with standard desktop applications and controlling media devices.
View
Eye-gaze interaction for mobile phones
Conference Paper
Full-text available
  • Sep 2007
In this paper, we discuss the use of eye-gaze tracking technology for mobile phones. In particular we investigate how gaze interaction can be used to control applications on handheld devices. In contrast to eye-tracking systems for desktop computers, mobile devices imply several problems like the intensity of light for outdoor use and calibration issues. Therefore, we compared two different approaches for controlling mobile phones with the eyes: standard eye-gaze interaction based on the dwell-time method and gaze gestures. Gaze gestures are a new concept, which we think has the potential to overcome many of these problems. We conducted a user study to see whether people are able to interact with applications using these approaches. The results confirm that eye-gaze interaction for mobile phones is attractive for the users and that the gaze gestures are an alternative method for eye-gaze based interaction.
View
An evaluation of an eye tracker as a device for computer input2
Article
  • Apr 1987
Since humans direct their visual attention by means of eye movements, a device which monitors eye movements should be a natural “pick” device for selecting objects visually present on a monitor. The results from an experimental investigation of an eye tracker as a computer input device are presented. Three different methods were used to select the object looked at; these were a button press, prolonged fixation or “dwell” and an on screen select button. The results show that an eye tracker can be used as a fast selection device providing that the target size is not too small. If the targets are small speed declines and errors increase rapidly.
View
A PIN-entry method resilient against shoulder surfing
Conference Paper
  • Oct 2004
Magnetic stripe cards are in common use for electronic payments and cash withdrawal. Reported incidents document that criminals easily pickpocket cards or skim them by swiping them through additional card readers. Personal identification numbers (PINs) are obtained by shoulder surfing, through the use of mirrors or concealed miniature cameras. Both elements, the PIN and the card, are generally sufficient to give the criminal full access to the victim's account. In this paper, we present alternative PIN entry methods to which we refer as cognitive trapdoor games. These methods make it significantly harder for a criminal to obtain PINs even if he fully observes the entire input and output of a PIN entry procedure. We also introduce the idea of probabilistic cognitive trapdoor games, which offer resilience to shoulder surfing even if the criminal records a PIN entry procedure with a camera. We studied the security as well as the usability of our methods, the results of which we also present in the paper.
View
Reducing shoulder-surfing by using gaze-based password entry
Conference Paper
  • Jul 2007
Shoulder-surfing - using direct observation techniques, such as looking over someone's shoulder, to get passwords, PINs and other sensitive personal information - is a problem that has been difficult to overcome. When a user enters information using a keyboard, mouse, touch screen or any traditional input device, a malicious observer may be able to acquire the user's password credentials. We present EyePassword, a system that mitigates the issues of shoulder surfing via a novel approach to user input. With EyePassword, a user enters sensitive input (password, PIN, etc.) by selecting from an on-screen keyboard using only the orientation of their pupils (i.e. the position of their gaze on screen), making eavesdropping by a malicious observer largely impractical. We present a number of design choices and discuss their effect on usability and security. We conducted user studies to evaluate the speed, accuracy and user acceptance of our approach. Our results demonstrate that gaze-based password entry requires marginal additional time over using a keyboard, error rates are similar to those of using a keyboard and subjects preferred the gaze-based password entry approach over traditional methods.
View
An evaluation of an eye tracker as a device for computer input
  • Jan 1987
  • C Ware
  • H Mikaelian
Ware, C., Mikaelian, H.: An evaluation of an eye tracker as a device for computer input. In: Proceedings of CHI 1987, Toronto (1987)