Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: "The Seasick Squid" | Main | Hacking Brain-Computer Interfaces »
September 4, 2012
Eye Twitch Patterns as a Biometric
Yet another biometric: eye twitch patterns:
...a person's saccades, their tiny, but rapid, involuntary eye movements, can be measured using a video camera. The pattern of saccades is as unique as an iris or fingerprint scan but easier to record and so could provide an alternative secure biometric identification technology.
Probably harder to fool than iris scanners.
Posted on September 4, 2012 at 9:04 AM • 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Keith Ivey • September 4, 2012 9:18 AM
A 30-second test gives "accuracy of 90% or even close to 100% at its best"? Is that useful for security?
Fred P • September 4, 2012 9:37 AM
@Keith Ivey-
That depends; is that 10% false positive or false negative? False negatives might not be too bad, as long as there's a way to circumvent the system that's more secure (because, say, you had surgery on one eye and have it completely covered). A 10% false positive rate would seem to me to make the system useless, particularly if you had more than one user.
NobodySpecial • September 4, 2012 9:59 AM
@Fred - 90% recognition rate is pretty good. That's pretty much what my grandmother could manage.
And when it comes to matching names to faces of my wife's friends I'm nowhere near 90% - looks like they have passed the Turing test - or I've failed it!
Hugh Mannity • September 4, 2012 10:46 AM
Interesting.
How certain are they that saccades don't change over time or with illness. It would be interesting to see whether illnesses like Parkinson's (which affects fine motor control including eye movement) or Bell's Palsy (which causes facial paralysis) change the patterns.
Dinah • September 4, 2012 11:32 AM
I start most mornings with coffee. I wonder how stimulants affect this.
Vadim Lebedev • September 4, 2012 11:34 AM
What will happen if the intruder will present to camera a video clip with captured facial expression of impersonated individual?
paranoia destroys ya • September 4, 2012 11:52 AM
@Hugh.
From personal experience, medical conditions probably will affect this. People have a hard time reading me because I have mild facial palsy on one side of my face. Because its subtle, they can't figure out what is different about me and often have a false positive reaction that I am lying or a threat.
uberdilligaff • September 4, 2012 11:58 AM
No evidence is presented in the linked article that demonstrates that such eye movement patterns are actually unique to a specific individual, or even invariant for an individual over time. The primary article, and the article it links to, both just assert that these involuntary reflexes are unique. Stronger stuff is required for credibility.
NobodySpecial • September 4, 2012 12:12 PM
@paranoia destroys ya - could be worse, you could have a twitch.
I don't know if there is a federal offence of winking at a TSA operator while he is groping you - but it's not going to end well!
Clive Robinson • September 4, 2012 12:13 PM
@ Vadim Lebede,
What will happen if the intruder will present to camera a video clip with captured facial expression of impersonated individual?
Probably nothing.
Most "display/projection" systems are not continuous, therefore whilst the human eye with it's fairly slow response will see a continuous system a camera which also scans will see only a spot or a few lines where the scans are in phase.
However there are newer display systems that are effectivly constant like "electronic paper" and other "pixel flipping" technologies so the question the becomes will the "update" of such systems be detectable by the camera...
@ Hugh Mannity,
It would be interesting to over time or with illness. It would be interesting to see whether illnesses like Parkinson's...
I would suspect anything that effects the nervous system would cause changes. For instance many people with Type II diabetes can and will (unless they are very lucky) suffer Peripheral Neuropathy which is a slowly degenerative disease. This effects a very large number of people especialy the older they get, and can cause compleate loss of a sense of feeling, cause problems with the hearts rhythm eye blink ability and eye movment as well as the ability to focus the eye...
@ Bruce,
Probably harder to fool than iris scanners
There is no way I'd make a bet on that, because we know otherwise.
We know from the improvments in IED's (Implanted Electronic Devices) such as Heart Pace makers we can take over semi autonomic nureralogic systems and adjust their rate and rhythm. I'm aware of research into this to provide other ways of dealing with "nervous twitches" without having to lose functionality from cutting the nerves or injecting them with highly dangerous neurotoxins such as "Botox".
Clive Robinson • September 4, 2012 12:25 PM
@ Keith Ivey,
A 30-second test gives "accuracy of 90% or even close to 100% at its best"? Is that useful for security
As an authenticator no.
But then you would not use such a biometric on it's own, you would use several others and take the agrigate result in some manner.
Lets say you used four biometrics with say a 5% rate of False Positives. This gives 0.000625% chance or around 6 people in a million being falsey identified as the "correct" person. Some password studies indicate that some pairs of username&password would be easier to get...
Brent Lahaise • September 4, 2012 12:25 PM
Regarding change over time, many biometric systems use your last five entries for their biometric template, so it changes over time with you.
Regarding accuracy, I'm thinking that this biometric could be used simultaneously with facial recognition.
Bill • September 4, 2012 12:54 PM
My problem with biometrics is revocation: how do they go about issuing me new saccades?
Rich Gibbs • September 4, 2012 1:26 PM
The team has studied otoneurological eye movements for several years and has recognized that certain statistical values that can be extracted from the data for such movements are, in combination, unique for each of us.Presumably the "extraction" of the statistical values reduces the amount of information in the data. And there is no evidence presented that either the raw data or the statistics are unique.
Northen Realist • September 4, 2012 1:30 PM
Sounds like this is another grand scheme that hasn;t been fully and properly researched. Was this test conducted on individuals over an extended period of time and under different health conditions? For example, does this change with age? what about if one has the flu or a cold? What about when one is wearing soft contacts, as opposed to glasse or neither? What about changes due to heart attacks, stroke, medication, etc.?
Godel Fishbreath • September 4, 2012 2:50 PM
The eye twitch pattern is likely to change a bit if the person has a contact lens: the weight of the lens should add a bit, and the irritation of same could throw things off a touch.
LinkTheValiant • September 4, 2012 3:41 PM
@Bill: My problem with biometrics is revocation: how do they go about issuing me new saccades?
This is precisely why biometrics have no place in any situation other than perhaps admittance to a building with a security guard to verify identity.
As Mr. Robinson has remarked in the past in the past, it's FAR easier to steal the digital representation of a biometric than it is to steal the actual biometric itself. Or, to put it another way, biometrics have no ultimate difference from a string of bits tattooed on one's finger or eye.
Biometrics are not a magic bullet, and like padlocks they are useless unless used at a monitored secure point.
Slyib • September 4, 2012 5:36 PM
30 seconds is forever if that's how long the biometric pass/fail scan takes. Imagine the queue to get inside a secure building in the morning, or after going outside for a smoke! The occupants will resort to blocking open back doors with ash trays, garbage cans, etc. in order to save time.
If it's 30 seconds to perform the baseline scan, then "never mind."
But a cool technology, nonetheless.
AC2 • September 5, 2012 12:05 AM
Is it Apr 1st today Bruce?
The whole line "The pattern of saccades is as unique as an iris or fingerprint scan but easier to record and so could provide an alternative secure biometric identification technology" reads like a bad joke...
And look how they plan to use it: "... very easy to trigger by asking an individual to look at one target and then another on a computer screen, for instance the team explains"
And for a period of 30 secs... Daft...
Thomas • September 5, 2012 3:01 AM
@Clive
"""Lets say you used four biometrics with say a 5% rate of False Positives. This gives 0.000625% chance or around 6 people in a million being falsey identified as the "correct" person."""
That assumes 2 things; that the chances of fooling the scanners are independent, and that the system requires a perfect "4/4".
Given that these systems false-negative you might have a "3/4" voting system for "user friendliness".
Now... if the same 5% who can fool the first scanner also have a better chance of fooling the next one your overall false-positive rate can sky-rocket.
Fred P • September 5, 2012 10:41 AM
NobodySpecial-
I guess it depends on your usage. However, if you have a 10% false positive rate per person, 10 people that you want to accept, and the chance of each false positive is independent, that's (1-(1-10%)^10)) = roughly 65% chance of accepting any random person.
If you're using this as some sort of secondary confirmatory step, that might have some use (for example, then you're presumably limiting it to one person) - but you'll still need a more secure override. If you were using it as a primary, I'm not certain that it has any use.
paul • September 5, 2012 1:14 PM
I can see some kind of mild irritant or other agent distributed near an entrance acting as an excellent denial-of-service attack. Imagine a situation where there's smoke in the building and someone really needs to get into the server room to perform some emergency work...
Jacob • September 5, 2012 8:51 PM
No, but it's an interesting attempt. Pain and meds would affect this. A doctor will look at the eyes if someone claims to be in pain. The eyes will for lack of a better word choice from me, well, twitch. I deal with chronic pain and my doctors can tell just by looking if it's a bad day. It sucks getting old, but waking up on the green side of the grass is good.... Lol
Wim L • September 5, 2012 10:10 PM
@Bill: Icepick.
More seriously for @Vadim Lebedev: Many biometric readers have 'live person' detection algorithms. Retina scanners can look for a pulse in the blood vessels, for example. I imagine a saccade reader could require the user to look at a couple of randomly-located flashing lights, or have their iris respond to some illumination change, or something like that.
vasiliy pupkin • September 7, 2012 11:15 AM
@Wim L
Biometrics are of two types static (e.g. fingerprints) and dynamic (e.g. eye twicth patter), but you are right: there is combo when some dynamic only test not used as biometric itself but rather confirmation that actual mostly static biometric is provided by live person, not dummy, photo, video, etc.
My guess is that in a future dynamic biometric would incorporate by itself 'live person' verification as well utilizing other dynamic characteristics /measurements /
parameters.
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Subscribe |
Subscribe via Kindle |
| Blog Menu |
SearchPowered by DuckDuckGoBlog Home Page
Archives by Date2013 J F M A M
Tags  |
| Latest Book |
more books by Bruce Schneier |
Comments