Eye Tracking Authentication - a mechanism where eye movement patterns are used to verify a user's identity - is increasingly being explored for use as a layer of security in computing systems. Despite being widely studied, there is barely any research investigating how these systems could be attacked by a determined attacker. In particular, the relationship between pupil characteristics and lighting is one that could lead to vulnerabilities in improperly secured systems.This paper presents Morph-a-Dope, an attack that leverages lighting manipulations to defeat eye tracking authentication systems that heavily rely on features derived from pupil sizes. Across 20 attacker-victim pairs, the attack increased the EER by an average of over 50% as compared to the zero-effort attack by the overall population, and as much as 500% for individual victims. Our research calls for a greater emphasis on manipulation-resistant pupil size features or system designs that otherwise avoid such vulnerabilities.