DEyeAuth: A Secure Smartphone User Authentication System Integrating Eyelid Patterns With Eye Gestures

Password, fingerprint, and face recognition are the most popular authentication schemes on smartphones. However, these user authentication schemes are threatened by shoulder surfing attacks and spoof attacks. In response to these challenges, eye movements have been utilized to secure user authentication since their concealment and dynamics can reduce the risk of suffering those attacks. However, existing approaches based on eye movements often rely on additional hardware (such as high-resolution eye trackers) or involve a time-consuming authentication process, limiting their practicality for smartphones. This article presents DEyeAuth, a novel dual-authentication system that overcomes these limitations by integrating eyelid patterns with eye gestures for secure and convenient user authentication on smartphones. DEyeAuth first leverages the unique characteristics of eyelid patterns extracted from the upper eyelid margins or creases to distinguish different users and then utilizes four eye gestures (i.e., looking up, down, left, and right) whose dynamism and randomness can counter threats from image and video spoofing to enhance system security. To the best of our knowledge, we are among the first to discover and prove that the upper eyelid margins and creases can be used as potential biometrics for user authentication. We have implemented the prototype of DEyeAuth on Android platforms and comprehensively evaluated its performance by recruiting 50 volunteers. The experimental results indicate that DEyeAuth achieves a high authentication accuracy of 99.38% with a relatively short authentication time of 6.2 s and is effective in resisting image presentation, video replaying, and mimic attacks.