After more than six decades, passwords remain a ubiquitous approach for authentication. The main reason for this is that passwords currently provide a balance between usability, security, and administrability, meaning that no other mechanism offers an equally good trade-off between the effort required for implementation, ease of administration (e.g., reset/changing credentials), ease of use, and security. However, password memorability is nearly impossible due to the large number of accounts each user has. As a result, individuals are more likely to create weak, easily remembered passwords or reuse passwords. According to the literature, a single user has, on average, 80 accounts and over 3.5 passwords shared between them. Users expose themselves to guessing and brute-force assaults when they create weak passwords or a single point of failure if they reused passwords. On the other side, advances in computer vision made eye tracking ubiquitous. According to the literature, users' eye gaze movements can reveal their gender, age, ethnic group, sexual orientation, mental disease, physical illness, and more. Accordingly, in this thesis, we introduce eye gaze behavior to enhance security mechanisms, focusing on knowledge-based passwords as a use case. We first start by understanding users' gaze behavior during authentication and study the relation between password creation and cognitive load. Then we look at how this behavior can be modeled using different machine learning classifiers. After that, we provide a framework for employing gaze behavior in security systems. Finally, we discuss how gaze behavior can be used beyond authentication and reflect on different ethical and user privacy aspects of exploiting eye gaze behavior in different security mechanisms.    «

After more than six decades, passwords remain a ubiquitous approach for authentication. The main reason for this is that passwords currently provide a balance between usability, security, and administrability, meaning that no other mechanism offers an equally good trade-off between the effort required for implementation, ease of administration (e.g., reset/changing credentials), ease of use, and security. However, password memorability is nearly impossible due to the large number of accounts eac...    »