Where Are the Dots: Hardening Face Authentication on Smartphones With Unforgeable Eye Movement Patterns

Abstract

With the ubiquitous adoption, mobile face authentication systems have been facing constant security challenges, particularly the spoofing risks. Except for those using specialized hardware, existing proposals for face anti-spoofing on mainstream smartphones either leverage people’s 3D face characteristics or various facial expressions. While showing progress towards more resilient face authentication, they are still vulnerable to recent advanced attacks (e.g., 3D mask attacks, video attacks, etc.). This paper presents GazeGuard, an on-device face anti-spoofing system that leverages unpredictable and unforgeable eye movement patterns to provide strong security guarantees against all known attacks. Targeting mainstream smartphones, GazeGuard is designed to conduct eye movement-based authentication using only 2D front cameras. Specifically, by presenting a series of short-lasting random dots on the screen (named gazecode), GazeGuard simultaneously captures a user’s gaze responses and the corresponding deformed periocular features to ensure both the freshness and correctness for the anti-spoofing face authentication. We have extensively tested GazeGuard’s performance over 50 volunteers. Using a 4-digit gazecode (just four random dots), GazeGuard achieves an average 90.39% authentication accuracy and 81.57 out of 100 System Usability Scale (SUS) scores. Under the same settings, GazeGuard achieves detection accuracy of 95.72% for image attack, 95.59% for video attack, 99.73% for 3D mask attack, and 100% for physical adversarial attack.