Seattle, WA--Despite their inefficiencies, passwords are still the most common electronic authentication systems. While fingerprint-, eye-, and face-recognition authentication technology are progressing, these biometric security systems haven’t yet gone mainstream. University of Washington (UW) engineers are trying to figure out why. They found in a recent study that the user’s experience could key to creating an eye-tracking authentication system that doesn’t rely on passwords.
Eye-tracking technology uses IR light and cameras. The light reflects off the surface of the eyeball and is monitored by the camera as a user’s eye moves or is static; the tracker picks up the unique way each person’s eye moves.
Lead researcher Cecilia Aragon believes one of the reasons face- and eye-recognition systems haven’t taken off is because the user’s experience often isn’t factored into the design. Her team presented its study, one of the first in the field to look at user preferences, at the International Association for Pattern Recognition’s International Conference on Biometrics (June 17–20, 2013; Madrid, Spain). The researchers found that speed, accuracy, and choice of error messages were all-important for the success of an eye-tracking system.
The UW team, in collaboration with Oleg Komogortsev at Texas State University, developed a new biometric authentication technique that identifies people based on their eye movements. They ran subjects through several types of authentication, then asked for feedback on the usability and perceived security.
Individual eye-tracking signatures
“The goal of eye-tracking signatures is to enable inexpensive cameras instead of specialized eye-tracking hardware,” Aragon says. “This system can be used by basically any technology that has a camera, even a low-quality webcam.”
In the study, users simulated withdrawing money from an ATM. The prototype—an ATM-lookalike computer screen with eye-tracking technology—presented three separate types of authentication: a standard four-number PIN, a target-based game that tracks a person’s gaze, and a reading exercise that follows how a user’s eyes move past each word. With each, researchers measured how long it took and how often the system had to recalibrate.
When interviewed afterward, most of the study subjects said they don’t trust the standard pushbutton PIN used in most ATMs, and most assumed that the more advanced technologies would offer the best security. But when authentication failed – the research team deliberately caused it to not recognize users during one trial – they lost faith in the eye-tracking systems. This study showed that future eye-tracking technology should give clear error messages or directions on how users should proceed if they get off track.
Get the error messages right
“The error messages we provided and the feedback we gave were really important for making it usable,” says Michael Brooks, a UW doctoral student in human centered design and engineering. “It would have been difficult to design these prototypes without getting feedback from users early on.”
The standard PIN authentication won for its speed and user-friendliness, but the dot-targeting exercise also scored high among users and didn’t take nearly as long as the reading exercise. This gamelike option could be a model for future versions, Brooks says.