While user authentication happens before initiating or resuming a login session, de-authentication detects the absence Specialty Forks of a previously-authenticated user to revoke her currently active login session.The absence of proper de-authentication can lead to well-known lunchtime attacks, where a nearby adversary takes over a carelessly departed user’s running login session.The existing solutions for automatic de-authentication have distinct practical limitations, e.
g., extraordinary deployment requirements or high initial cost of external equipment.In this paper, we propose “DE-authentication using Ambient Light sensor” (DEAL), a novel, inexpensive, fast, and user-friendly de-authentication approach.
DEAL utilizes the built-in ambient light sensor of a modern computer to determine if the user is leaving her work-desk.DEAL, by design, is resilient to natural shifts in lighting conditions and can be configured to handle abrupt changes in ambient illumination (e.g.
, due to toggling of room lights).We collected data samples from 4800 sessions with 120 volunteers in 4 typical workplace settings and conducted a series of experiments to evaluate the quality of our proposed approach thoroughly.Our results show that DEAL can de-authenticate a departing user within 4 seconds with a hit rate of 89.
15% and a fall-out of 7.35%.Finally, bypassing DEAL to launch a lunchtime attack is practically infeasible as it requires the attacker to either take the user’s position within a few seconds Charging Stations or manipulate the sensor readings sophisticatedly in real-time.