Swap It Like Its Hot: Segmentation-based spoof attacks on eye-tracking images

TL;DR

This paper introduces IrisSwap, a novel digital attack that swaps iris patterns in eye-tracking images to deceive biometric authentication systems, exposing vulnerabilities in current liveness detection methods.

Contribution

The paper presents IrisSwap, a new segmentation-based attack that can bypass existing defenses, highlighting the need for more robust eye-tracking authentication techniques.

Findings

IrisSwap can deceive state-of-the-art defenses at rates up to 58%.

Both offline and online attacks are effective against current models.

Current liveness detection methods are vulnerable to digital iris swapping.

Abstract

Video-based eye trackers capture the iris biometric and enable authentication to secure user identity. However, biometric authentication is susceptible to spoofing another user's identity through physical or digital manipulation. The current standard to identify physical spoofing attacks on eye-tracking sensors uses liveness detection. Liveness detection classifies gaze data as real or fake, which is sufficient to detect physical presentation attacks. However, such defenses cannot detect a spoofing attack when real eye image inputs are digitally manipulated to swap the iris pattern of another person. We propose IrisSwap as a novel attack on gaze-based liveness detection. IrisSwap allows attackers to segment and digitally swap in a victim's iris pattern to fool iris authentication. Both offline and online attacks produce gaze data that deceives the current state-of-the-art defense models at rates up to 58% and motivates the need to develop more advanced authentication methods for eye trackers.