Reducing Shoulder-surfing by Using Gaze-based Password Entry

Authors: M. Kumar, Tal Garfinkel, D. Boneh, and T. Winograd

Shoulder-surfing --- using direct observation techniques, such as looking over someone's shoulder, to get passwords, PINs and other sensitive personal information --- is a well known weakness of password authentication. We present EyePassword, a system that mitigates shoulder surfing via a novel approach to user input. With EyePassword, a user enters sensitive input (password, PIN, etc.) by selecting from an on-screen keyboard using only the orientation of their pupils (i.e. the position of their gaze on screen), making eavesdropping by a malicious observer largely impractical. We present a number of design choices and discuss their effect on usability and security. We conducted user studies to evaluate the speed, accuracy and user acceptance of our approach. Our results demonstrate that gaze-based password entry requires marginal additional time over using a keyboard, error rates are similar to those of using a keyboard and subjects preferred the gaze-based password entry approach over traditional methods.

In proceedings of the 2007 Symposium On Usable Privacy and Security (SOUPS)

Full paper: pdf