Bogdan Hoanca

Gaze-based password authentication through automatic clustering of gaze points

Researchers have proposed systems in which users utilize an eye tracker to enter passwords by merely looking at the proper symbols on the computer monitor in the appropriate order. This authentication method is immune to the practice of shoulder surfing: secretly observing the keystrokes of a legitimate user as he or she types a password on a keyboard. In this paper we describe the EyeDent system—in which users authenticate by looking at the symbols on an on-screen keyboard to enter their password. Existing eye-tracking based authentication systems require the user to dwell or press a trigger when looking at each symbol. Instead, in EyeDent, gaze points are automatically clustered to determine the users selected symbols; this approach has the benefit of allowing users to authenticate at their natural speed, rather than with a fixed dwell time. Additionally, the absence of a visible trigger does not divulge the number of symbols in the password. Results from preliminary investigations indicate that quick (3 seconds for a 4 digit PIN) authentication is possible using this scheme, but more work is needed to account for calibration error, and to dynamically adapt system parameters to the characteristics of individual users.

Real-time continuous iris recognition for authentication using an eye tracker

The majority of todays authentication systems, including password and fingerprint scanners, are based on one-time, static authentication methods. A continuous, real-time authentication system opens up the possibility for greater security, but such a system must be unobtrusive and secure. In this work we studied whether a commercial eye tracker can be used for unobtrusive, continuous, real-time user authentication via iris recognition. In a user study, all 37 participants could be authenticated with 11% equal error rate (EER). For 14 of the 37 users, iris occlusion was sufficiently small to authenticate with 9% EER. When classified using a k-nearest neighbors algorithm and only the right iris, the same data set allowed 100% accuracy for k = 3. Although these error rates are too high for standalone use, iris recognition via an eye tracker might enable real-time continuous authentication when combined with other more reliable authentication means (e.g., a password). As eye trackers become widely available their capabilities for multiple factor, continuous authentication will become compelling.

Three-Party Quantum Authenticated Key Distribution with Partially Trusted Third Party

In this paper, a novel three-party quantum authenticated key distribution with a partially trusted third party protocol is proposed. Unlike most classical cryptography, the security of the protocol does not rely on the amount of computations required to find the encryption key, but on physical properties of the transmission medium (i.e., quantum mechanical properties). The session key shared between participants is concealed from the trusted third party while the participants trust the third party regarding the authentication part. Thus, the proposed system will be preferable for network systems in/between institutions, which deal with highly sensitive information (e.g., military bases, research facilities, hospitals).

Freedom of silence vs. freedom of speech: Technology, law, and information security

Freedom of speech and freedom of silence (privacy) are viewed very differently and are protected by laws in different ways in our society. In fact, there is a natural tension between the two, and society must find the proper balance between such opposing forces. Technology is playing an increasing role in supporting both freedom of speech and freedom of silence. At the same time, recent implications of freedom of silence on information security have become more and more apparent, as computer crimes are increasingly using unsolicited and often misleading speech, for example phishing emails and denial of service. This article explores the implications of the freedom of silence, and evaluates technological and legal solutions. The author concludes that technology-supported speech can more readily be contained by appropriate defending technologies than by legal means

Adoption of a New Online Travel Management System for FED-AK

This case describes the implementation of an online travel management system at FED-AK, the Alaska office of a U.S. government agency. The previous system was intended to accomplish the same functionality, but due to employee resistance, it was used only as a forms generator in conjunction with a paper-and mail-based process. The new system is integrated, which compels employees to use all the functionality provided. It also incorporates many lessons learned from the old system-in particular, extensive training and online help functions. The system is expected to significantly reduce the cost of travel by minimizing errors, enforcing policies, and reducing transaction costs. The system will also lead to faster reimbursement of employee travel expenses.

Machine-extracted eye gaze features: how well do they correlate to sight-reading abilities of piano players?

Skilled piano players are able to decipher and play a musical piece they had never seen before (a skill known as sight-reading). For a sample of 23 piano players of various abilities we consider the correlation between machine-extracted gaze path features and the overall human rating. We find that correlation values (between machine-extracted gaze features and overall human ratings) are statistically similar to correlation values between human-extracted task-related ratings (e.g., note accuracy, error rate) and overall human ratings. These high correlation values suggest that an eye tracking-enabled computer could help students assess their sight-reading abilities, and could possibly advise students on how to improve. The approach could be extended to any musical instrument. For keyboard players, a MIDI keyboard with the appropriate software to provide information about note accuracy and timing could complement feedback from an eye tracker to enable more detailed analysis and advice.

Outage at UAA: A Week Without Critical Information Systems

With redundant hardware, it is rare that a disk failure results in downtime at the system level. System failures do sometimes occur, typically as a sequence of very rare events that leads to a catastrophic failure. This case describes how a combination of hardware and firmware failures, along with human error, led to the failure of a redundant disk storage unit, which in turn affected several enterprise systems at a major public university. Subsequently, a small number of conservative and seemingly “good†decisions in the process of restoring the system from backups led to negative outcomes, primarily additional downtime over the course of several days. The case illustrates how even well-considered and conservative decisions may seem flawed in hindsight. An important lesson from the case is that it is difficult to justify to management the provision of sufficient backup resources to prevent very low-probability failure events.

Passive Eye Monitoring in Information Security

In the post-September 11 era, security is becoming more and more critical. An important component of information security is user authentication, the ability of an information system to certify that a user is who she claims she is. Authentication can involve one of two processes: identification or verification. For identification, information about an unknown user must be compared against similar information for all possible users. The best match is returned within a confidence level. For verification, a user identity (entered as a user name for example) must be compared only against an existing signature (usually a password) stored for that user. While identification is important for database searches, for example to locate a person based on fingerprints left at a crime scene, most information systems implement authentication as verification. A user types in his or her user name or scans an identification card, then enters a password to verify the identity. Authentication as verification is used for both physical access (for example to secure areas) and for online access (for example to log in to a computer terminal). Secure user authentication requires that users be endowed with credentials which are i) unique for each user, ii) not easily stolen or lost and iii) reasonably affordable and iv) convenient to use. The order above is not an indication of importance of the various requirements.