Published May 28, 2026 | Version v1

Gaze as an implicit second authentication factor when using PIN mechanisms in extended reality

  • 1. Human Opsis
  • 2. ROR icon University of Patras
  • 3. ROR icon Aristotle University of Thessaloniki

Description

Recent advances in extended reality (XR) have enabled seamless access to immersive services. However, user authentication in these environments typically relies on conventional methods, such as PIN entry, which remains vulnerable to unauthorized use. This paper investigates gaze behavior as an implicit second authentication factor in XR. Using a Meta Quest Pro headset, participants performed legitimate and impostor login attempts while their gaze data were recorded. Temporal, spatial, and oculomotor metrics revealed distinctive and reproducible gaze dynamics between user roles. Tree-based machine learning models, particularly XGBoost, reliably distinguished legitimate from impostor sessions under user-independent validation (AUC =.84). Calibrating model thresholds further enabled adaptive balancing between security and usability. These findings demonstrate that gaze dynamics can unobtrusively enhance PIN authentication, introducing an adaptive layer that aligns authentication sensitivity with situational risk and user needs in immersive environments.

Files

Gaze as an implicit second authentication factor when using PIN mechanisms in extended reality.pdf