Gaze authentication system against shoulder surfing Secure login with your eyes

Traditional authentication techniques such as passwords, PINs, and pattern locks are highly vulnerable to shoulder surfing attacks, where attackers can observe and capture user credentials during entry. To address this limitation, this paper presents a gaze-based authentication system that utilizes eye movement patterns as a secure and non-observable biometric modality.

The proposed system performs real-time eye tracking using MediaPipe Face Mesh, which detects 468 facial landmarks through a standard webcam, eliminating the need for specialized hardware. From these landmarks, unique biometric features including Inter-Pupillary Distance (IPD), Eye Aspect Ratio (EAR), fixation patterns, saccade velocities, and blink signatures are extracted to construct an individual gaze profile for each user.

During the enrollment phase, multiple gaze samples are collected and processed to generate a statistical representation of the user’s gaze behaviour. Authentication is carried out by comparing live gaze features with the stored profile using a Z-score–based similarity matching approach with weighted feature contributions. The system is implemented using a three-tier architecture consisting of a client-side processing module, a Django-based backend, and a PostgreSQL database, and is deployed as a Progressive Web Application (PWA).

Experimental results indicate that the system achieves reliable authentication with real-time performance and good usability. By introducing gaze as an invisible biometric factor, the proposed approach effectively mitigates shoulder surfing attacks and enhances the security of conventional authentication systems without requiring additional hardware.