HAMAMATSU, Japan – Our unconscious eye reflex movements are unique to each of us, so unique that they could be used as our key to positive identification in security settings. Even if a third party with ill intent – an infiltrator, if you will – were to learn a person’s eye reflex patterns, it would be difficult to imitate them because human beings cannot control these reactions.Iris scans, electronic fingerprinting and signature recognition software are among the biometric tools increasingly being introduced for user authentication. In an attempt to bypass these systems, an intruder could make use of latent/remaining fingerprints or a photograph of a person’s iris, or he/she could forge a signature. The main problem with the aforementioned security methods is that they are based on information that easily can be leaked, obtained or replicated. Such biometric information must be stored in the authentication server, where it is available to someone who has the skill and cunning to retrieve it.Sneak attackThere also is the possibility that biometric information could be stolen in ways that are unexpected, such as by a sensor hidden in a wall or through phishing (“password fishing”) Web sites on the Internet, where users might be led maliciously to input their biometric information.Researchers Masakatsu Nishigaki and Daisuke Arai at Shizuoka University have put user authentication to work by using not only the physiological blind spot position in the eye but also, and more importantly, the involuntary saccade response – the repeated left-to-right movements made when our eyes track something moving right to left, and vice versa. Their work is described in the International Journal of Biometrics (Vol. 1, No. 2, 2008).The blind spot is a fixed region on the retina of each eye where the optic nerve bundle and blood vessels pass from the eyeball into the brain. There are no photoreceptors in these spots, and because the eyes work together to compensate for the deficit, we rarely notice it. The position of the blind spot can be determined relative to the direction of gaze.The investigators built a prototype to test 10 male students during 4000 trials. They used the blind spot position as a trigger to induce saccades, indirectly extracting differences in human reflexes. They achieved user identification by displaying a target within and outside the person’s blind spot and by employing eye-tracking technology to measure the reflex time taken until eye movements occur. Each pattern of responses would be unique. Nishigaki explained that the method transforms differences in physiological biometric information (blind spot) into differences in human reflexes to achieve authentication. As shown in this experimental scene, investigators have developed a prototype user authentication system that incorporates eye reflexes and blind spot position to positively identify a person in security situations. On the table is the apparatus part of a point-of-gaze detection device. The dot on the screen is the target display. Photos courtesy of Masakatsu Nishigaki.He said it is important to understand that, as long as the blind spot is used, there is the possibility that an impostor could change this physiological aspect through surgery or through the use of an ingenious contact lens and be successful in the impersonation. Currently, their method cannot prevent physical modification of the eyeball, he stressed.The prototype consists of an authentication program control device, an A/D converter, a chin rest, a target display monitor and a point-of-gaze detection device that incorporates a sensor for measuring eyeball motion. “Point of gaze” is a position that the user is seeing with his eye. The process is done with one eye covered. The sensor part of the point-of-gaze detection device is in front of the right eye. The left eye is covered.The program device receives data on the eyeball motions from the point-of-gaze device via the A/D converter and then calculates the point-of-gaze and blind spot positions.The processThe authorized user calibrates the point-of-gaze detection device so that the system measures his point of gaze in real time. It then measures the relative position of the blind spot with respect to the point of gaze and stores the calibration and the relative blind spot position data together with the user’s name.For authentication, the user inputs his file name into the system, which fetches the relevant data. It then sets the calibration data in the point-of-gaze detection device and starts real-time measurement of the point of gaze of the user. It acquires the blind spot in real time by calculating the relative position from the detected point of gaze. The system displays a target at a random position on the screen, and the user follows it with his eye. Saccades are induced as he acquires the target in his point of gaze, and the system measures the saccade response time. Conclusions and ongoing workIn their trials, the investigators found that the prototype could keep the rates of false rejection, false acceptance and spoofing success to low levels. Research must be done to ensure that the system is practical and reliable; for example, the team must determine that saccade response times remain constant with changes in users’ daily conditions, and that the relative position of the point of gaze and blind spot differs among large numbers of people. According to Nishigaki, the authentication system most likely would be very expensive and probably used for security situations that involve access to highly important or classified information. He said that the method might be a good match with eye-mounted displays.He noted that, ultimately, it is essential to devise a biometric authentication system that directly utilizes the differences in human reflexes themselves, without any other biometric information, but that this work will be very difficult.