While user authentication happens before initiating or resuming a login session, de-authentication detects the absence of a previously-authenticated user to revoke her currently active login session. The absence of proper de-authentication can lead to well-known lunchtime attacks, where a nearby adversary takes over a carelessly departed user's running login session. The existing solutions for automatic de-authentication have distinct practical limitations, e.g., extraordinary deployment requirements or high initial cost of external equipment. In this paper, we propose "DE-authentication using Ambient Light sensor" (DEAL), a novel, inexpensive, fast, and user-friendly de-authentication approach. DEAL utilizes the built-in ambient light sensor of a modern computer to determine if the user is leaving her work-desk. DEAL, by design, is resilient to natural shifts in lighting conditions and can be configured to handle abrupt changes in ambient illumination (e.g., due to toggling of room lights). We collected data samples from 4800 sessions with 120 volunteers in 4 typical workplace settings and conducted a series of experiments to evaluate the quality of our proposed approach thoroughly. Our results show that DEAL can de-authenticate a departing user within 4 seconds with a hit rate of 89.15% and a fall-out of 7.35%. Finally, bypassing DEAL to launch a lunchtime attack is practically infeasible as it requires the attacker to either take the user's position within a few seconds or manipulate the sensor readings sophisticatedly in real-time.

翻译：用户身份验证发生在登录会话启动或恢复之前，而去身份验证则检测先前已验证用户是否离开，从而撤销其当前活动的登录会话。缺乏适当的去身份验证机制可能导致众所周知的午餐时间攻击，即邻近的攻击者接管粗心离去的用户正在运行的登录会话。现有的自动去身份验证解决方案存在明显的实际局限性，例如对外部设备的特殊部署要求或高昂的初始成本。在本文中，我们提出了一种名为“利用环境光传感器进行去身份验证”（DEAL）的新型、低成本、快速且用户友好的去身份验证方法。DEAL利用现代计算机内置的环境光传感器来判断用户是否离开其工作台。通过设计，DEAL能够抵抗自然光照条件的变化，并可配置以应对环境光照的突变（例如，由于室内灯光开关引起）。我们在4种典型工作场所环境中收集了120名志愿者的4800个会话的数据样本，并进行了一系列实验以全面评估我们所提方法的质量。结果表明，DEAL能在4秒内对离开的用户进行去身份验证，命中率达到89.15%，误报率为7.35%。最后，绕过DEAL发动午餐时间攻击在实际上不可行，因为这要求攻击者在几秒钟内占据用户位置，或实时复杂地篡改传感器读数。