Could Eye-Tracking Replace Passwords?

Passwords are a problem. With each of us having so many accounts to manage, we often forget which specialized password is connected to what account, and we sit at the login screen making attempt after attempt -- until we're finally locked out. 

But despite their inefficiencies, passwords are still the most common e-authentication systems available. Though biometric recognition technologies are progressing, they haven’t yet gone mainstream -- and engineers at the University of Washington (UW) are trying to figure out why.

The key? According to a recent study, it could be related to the user experience.

Cecilia Aragon, lead researcher and a UW associate professor of human centered design and engineering, says she believes the reason these face- and eye-recognition systems haven’t been successful is, in part, because the user’s experience often isn’t taken into consideration.

So in collaboration with Oleg Komogortsev at Texas State University, the UW team  developed a new biometric authentication technique that identifies people based on their eye movements. They ran subjects through several types of authentication, according to UW, and then asked for feedback on usability and perceived security.

Using an ATM-type scenario, which was chosen because it's familiar to most people and most ATMs are already equipped with a camera, users simulated withdrawing money using three types of authentication:

• a standard four-number PIN;
• a dot targeting game that tracks a person’s gaze; and
• a reading exercise that follows how a user’s eyes move past each word.

With each, UW reported, researchers measured how long it took and how often the system had to recalibrate.

“The goal of eye-tracking signatures is to enable inexpensive cameras instead of specialized eye-tracking hardware,” Aragon said. “This system can be used by basically any technology that has a camera, even a low-quality webcam.”

How Eye-Tracking Tech Works Eye-tracking technology uses infrared light and cameras. The light reflects off the surface of the eyeball back to the camera when a user’s eye is following a dot or words on the computer screen. The tracking device picks up the unique way each person’s eye moves. Source: University of Washington. Photo courtesy of Michael Brooks.

When interviewed, most subjects said that they don’t trust the standard push-button PIN used in most ATMs, and most assumed that the more advanced technologies would offer the best security. But their viewpoint changed when authentication failed – which the research team did deliberately during one trial. When this occured, the users lost faith in the eye-tracking systems, according to UW. 

The end result? The standard PIN authentication won for speed and user-friendliness, while the dot targeting exercise scored high and didn’t take as long as the reading exercise.  Michael Brooks, a UW doctoral student in human centered design and engineering, said this game-like option could be a model for future versions.

Next, the researchers plan to look at developing similar eye-tracking authentication for other systems that use basic cameras such as desktop computers. A similar design could be used to log in or gain access to a secure website.