Passive Eye Monitoring in Information Security

Abstract

In the post-September 11 era, security is becoming more and more critical. An important component of information security is user authentication, the ability of an information system to certify that a user is who she claims she is. Authentication can involve one of two processes: identification or verification. For identification, information about an unknown user must be compared against similar information for all possible users. The best match is returned within a confidence level. For verification, a user identity (entered as a user name for example) must be compared only against an existing signature (usually a password) stored for that user. While identification is important for database searches, for example to locate a person based on fingerprints left at a crime scene, most information systems implement authentication as verification. A user types in his or her user name or scans an identification card, then enters a password to verify the identity. Authentication as verification is used for both physical access (for example to secure areas) and for online access (for example to log in to a computer terminal). Secure user authentication requires that users be endowed with credentials which are i) unique for each user, ii) not easily stolen or lost and iii) reasonably affordable and iv) convenient to use. The order above is not an indication of importance of the various requirements.