Schneier on Security
A blog covering security and security technology.
« Security Haiku |
| Unsolicited Terrorism Tips to the U.S. Government »
November 17, 2010
Eye movements instead of eye structures.
The new system tracks the way a person's eye moves as he watches an icon roam around a computer screen. The way the icon moves can be different every time, but the user's eye movements include "kinetic features" -- slight variations in trajectory -- that are unique, making it possible to identify him.
Posted on November 17, 2010 at 7:13 AM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
A lot of these newer behavioral identifiers make me wonder if they have studied them enough to determine how they will vary over time. I guess an "expiring biometric" has it's uses.
Sure would suck to have a lazy eye...
or be blind..
or have your eye sight fade...
It's an unreliable biometric after a few weeks (has been known to be for some time). It has been looked at before for "auto select" on Pilot HUDs.
Basicaly as you learn various tasks like speed reading your brain adjusts to using different parts of the retina. You can do the same with cognative behaviour therepy so...
The question is what size is the grant cheque or am I getting cynical in my old age.
Or have a stigmatism…
Or develop cataracts...
Or develop diabetes...
Or have a stroke...
I don't see how this biometric test accounts for, or accommodates, those of us who may have a degenerative eye disease or simply get old.
Or have nystagmus (as many with MS do)...
It fails to accommodate you in the same way that fingerprinting fails for those of us without fingers.
It basically goes without saying that any biometric will fail for a certain segment of the population.
Or gets enough caffniene or other substance in their blood system to significantly alter their behavior for a short peroid of time.
Hell, I notice my eyes moving differently after an extended session; It usually lasts for at least 2-3 hours.
@Anonymous Prime: The difference is that my fingerprints aren't going to change into other fingerprints. There are a lot of other problems, but there will be no gradual change over time.
This is not true of eye movements. It is very possible for vision to deteriorate gradually, and this will cause eye movements to change. It is possible to get more familiar with a situation and have eye movements change. (If you drive a car, your eye movements while doing so have doubtless changed drastically over time, as you got familiar with observation while driving.)
Umm, make that extended gaming session, clicked a little too fast
The article says the company is claiming 97% accuracy under what appear to be optimal conditions. I guess that means you'd only get locked out of your office a few times a month or a few times a week, depending on how often you had to go out and back in again.
There are certainly applications where something like this (with suitable backup and as part of a defense in depth) would be useful. I think.
Presumably, this is similar in concept to the signature recognition systems that have been available for years. It doesn't just look at the finished signature (mine seldom matches like that) but looks at *how* you sign AND ALSO updates the stroking database with every positive identification. As long as you're signing into the sytem frequently enough (and not waiting three years between uses), it seems to be pretty robust. No reason this eye tracking thing couldn't continuously update its data.
Of course, as will all this biometric BS, physical security of the system is paramount - wouldn't be hard to bypass the sensor and feed the computer whatever data you want.
There are probably degenerative neurological conditions which could affect it over time. I wonder if normal brain changes from aging could, too.
Or medications which affect the motor neurons...
Great, somebody finally made a lock that is not likely to work when you are being chased by a murderer. Hollywood will probably order a ton of these system to be integrated into car door locks.
I have macular degeneration in both eyes with changes that occur quite frequently, i.e., every couple of weeks. I have had chemo injections into my eyes for the last two and a half years to stop blindness. How in the world could they ever track anything my eyes or if a retinal scan would be doing? I have had retinal scans for every month for five years now. Each of these laser scans have returned a different image.
The first thing I thought about when I started reading was "I hope it's not some random target thing," and then, "what if they devised a system based on something like a subject reading their own name." That is, the eye movements pertaining to seeing something familiar.
Will the subject also be read a series of questions to test emotional response?
My eye movements are completely different depending on the mood - and that's not even as bad as for 'normal' people for being somewhat autistic.
If I'm nervous, I'm sure my eye patterns would fail the recognition they use.
Same goes if I'm in my own world - either I don't really react to the external or then I react a lot.
The only time the eye movements might follow a pattern is if I'm equally bored - and that is either similarly trapped inside my head or receiving similar external stimuli.
If I'm angry I'm sure the eye patterns would match those of a lot of other angry people.
And yes, coffee and alcohol were already mentioned above.
We call it Voight-Kampff for short.
I think the interesting bit is that the thing you track is different each time you are checked, defending against replay attacks...
If they could integrate this into a way to actually move the cursor instead of using a mouse/pad, then I could *see* the attraction.
That would be awesome
Otherwise, it appears to have marginal to no benefit over existing controls but adds a new set of risks.
I wonder how hard it actually is to authenticate as someone else by mimicking his or her eye movements.
Of course the company that markets it will claim that it's very difficult.
The biometric described in the article would not be affected by poor eyesight, development of cataracts, development of diabetes-induced retinal damage, etc. However, it almost certainly would be affected by the following: general fatigue, eye fatigue, metabolism-altering drugs such as caffeine and amphetamines, drugs that affect muscle movement such as tranquilizers and antihistamines, drugs that affect coordination and fine movement such as amphetamines, sedatives, anticonvulsants, etc. The method's designers have not done within-person studies to assess these factors. I suspect that they will find so much within-person variation that the technique will have no value as an identifier. (It might have value in assessing performance. For example, it could be used by the military and the airlines to see if pilots are affected by illness or medications.)
The company is not claiming this is ready for use. The researcher is quoted as saying the system needs to be tested on many more subjects and over time. So there seems to be some realistic caution there.
However, I would submit that 97% accuracy is way too low for something as important as security. So even if their algorithm maintains its current accuracy, it still is not good enough.
What is wrong with a key lock and key code combo? I think that fits the two-factor authentication criteria, too...
> There are certainly applications where
> something like this ... would be
> useful. I think.
Yep. If they really uniquely identify a person, they'd work great for an account id.
But biometrics like this are not secret, so they make lousy authentication credentials.
as an additional problem, after the issue of (re)training a familiar/repetitive task, and other changes in eye movement over time - what happens when you start getting bored of doing this 'test' to get through the door or get into the system?
it won't take long for many people to get fed up with having to play 'follow-the-dot-to-pass-the-lock' ... at least with iris scan, fingerprinting, or facial 'recognition' you don't have to pay attention ...
it may have some value along the lines @dr t suggests above. though again, boredom, frustration, and other emotional/environmental factors will play a role here too.
why bother with this game, when you could measure elements of a persons movement as they walk up to the lock as a preliminary 'what you are' factor. upgrade (a) cctv camera for facial recognition plus iris scan; combine all that with a key code...
with decent hi-res colour video feed, your system could analyse gait, gestures, posture, face, eye movements, iris scan and have a multi-factor match as an ongoing process the whole time.
add in rfid tag(s) for extra points, track your mobile phone with local gprs/gsm mini-towers, and so on. why rely on any one factor when some software, a few bits of kit, and a network of small servers could provide you with complete coverage and constant multi-factor (re)verification.
hell, give 'em key cards and passcodes so they think *that's* the identification tool ...
Put reversing prisms on for a couple days and your saccade trajectories will have changed substantially and irreversibly.
"kinetic features" -- slight variations in trajectory -- that are unique
I see no proof for this claim. And it's pretty early in the life cycle to be claiming a new trait is individually unique. We work under the assumption that fingerprints and dna are unique but that hasn't been proved yet has it.
"less complicated than using ... a smart card to gain access"
Says who? Proximity cards are just waved at the reader and the card/pin combination is used a technique used by anyone with a bank card. Any 2nd factor added to the crazy eyes system here makes it as complex as any system now in use.
In addition to the critiques here of a trait that changes over time...why pursue biometrics anyway?
An identity isn't something we are it's something we're given-- as part of a relationship. And relationships end. I think an artifical identity not tied to pieces of my body, that can be definitely ended, is preferable.
"97% accuracy" is a very vague metric, as accuracy (as technically defined) is dependent on the ratio of true positives and negatives, as well as where they set the cutoff. Would it be that confusing to report two numbers, such as sensitivity and specificity?
"Our algorithm lets an impostor in 2% of the time and keeps the rightful owner out 4% of the time." Then again, anyone could understand how useless that is...
Of course, this topic has been addressed several times before here.
"We work under the assumption that fingerprints and dna are unique but that hasn't been proved yet has it."
No, actually, if we're competent at it we work with the knowledge that DNA evidence *can* match more than one person. It's not a complete genomic scan, and it's not proof on its own that a specific person was present. Where it comes in really handy is ruling out suspects instead.
@BF Skinner: "... We work under the assumption that fingerprints and dna are unique but that hasn't been proved yet has it...."
We already know that fingerprints are not unique unless the investigators have unsmudged, hi-res prints of all ten fingers.
DNA is unique to all non-twin individuals, but DNA testing doesn't examine the entire genome. That's why results are given as probabilities (eg: there is only a one in a billion chance that someone else could have the same DNA markers). The probabilities are somewhat misleading, though, because they are for random persons. A close relative would be far more likely to match the tested markers than a random person.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.