De-Authentication Using Ambient Light Sensor

While user authentication happens before initiating or resuming a login session, de-authentication detects the absence of a previously-authenticated user to revoke her currently active login session. The absence of proper de-authentication can lead to well-known lunchtime attacks, where a nearby adversary takes over a carelessly departed user’s running login session. The existing solutions for automatic de-authentication have distinct practical limitations, e.g., extraordinary deployment requirements or high initial cost of external equipment. In this paper, we propose “DE-authentication using Ambient Light sensor” (DEAL), a novel, inexpensive, fast, and user-friendly de-authentication approach. DEAL utilizes the built-in ambient light sensor of a modern computer to determine if the user is leaving her work-desk. DEAL, by design, is resilient to natural shifts in lighting conditions and can be configured to handle abrupt changes in ambient illumination (e.g., due to toggling of room lights). We collected data samples from 4800 sessions with 120 volunteers in 4 typical workplace settings and conducted a series of experiments to evaluate the quality of our proposed approach thoroughly. Our results show that DEAL can de-authenticate a departing user within 4 seconds with a hit rate of 89.15% and a fall-out of 7.35%. Finally, bypassing DEAL to launch a lunchtime attack is practically infeasible as it requires the attacker to either take the user’s position within a few seconds or manipulate the sensor readings sophisticatedly in real-time.


I. INTRODUCTION
Computer users in different establishments (e.g., universities, workplaces) often share workspace.These users either work on shared computers (e.g., in a library) or have a dedicated computer 1 (e.g., in an office).In either case, user authentication is critical to prevent any unauthorized access.Generally, the user authenticates via the secret PIN, password, or recently emerging biometrics-based techniques.However, such authentication typically happens only once while initiating the login session.After successful authentication, the user spends time to continuously use the computer and its services.If the user wants to leave her computer for whatever reason during this period, her currently active session must be locked/logged out; especially in shared workspace settings.Failure to do so can lead to lunchtime attacks [1,2], where an adversary (typically an insider) gains access to the user's running session and engages in potentially undesirable activities.
To prevent such unauthorized access, either the user must terminate the running session by explicitly locking/logging out, or the system must automatically revoke the previouslyauthenticated session, i.e., de-authenticate the user.Oftentimes, the users are apathetic or lazy (especially when taking short breaks) and avoid terminating the session because logging in again can be annoying.On another side, deauthenticating the user frequently with too-short inactivity timeouts can aggravate the user while choosing a too-long inactivity timeout leaves room for lunchtime attacks [3].
Researchers from both academia and industry have put immense efforts into making the authentication techniques more robust, accurate, efficient, and convenient to use [4].For instance, biometric-based authentication techniques impose less cognitive load on the users compared to the passwordbased approach.Nonetheless, password-based authentication still remains the most commonly used approach; mainly because it is intuitive and does not require any special hardware.But passwords have their demerits.First, recent technological advances are making passwords even more susceptible to cracking and potentially obsolete for use in the near future [5].Second, passwords have no role in automatic user deauthentication, which means a separate mechanism is required.To this end, researchers have proposed different user deauthentication and continuous-authentication mechanisms.The state-of-the-art solutions (cf.Section II) require external equipments [1,2,[6][7][8][9][10][11], are relatively expensive [1,2,9,11], need physical customization or specific installation [1,2,7,8,12], are complex to deploy [2,6,7], involve regular maintenance [2,[8][9][10], or sometimes cause inconvenience to the user [6,[9][10][11].Such limitations hinder a broader adoption of the existing solutions.Therefore, a solution is needed that can address all of these issues while handling the automatic user de-authentication process efficiently.
On the other side, consumer devices (e.g., phones, tablets, computers) are becoming sensor-rich to provide different useful functionalities.Ambient Light Sensor (ALS) is one such sensor.ALS has been pervasively found on phones and tablets.Nonetheless, ALS has recently started to become common on consumer-grade laptops and desktops; primarily to comfort users' eyes by adapting the brightness and/or color tone of the screen in response to changing lighting conditions.ALS is generally mounted on a computer's display screen (e.g., as shown in Fig. 1).A generic ALS is both fast and efficient in capturing changes in lighting conditions.
In this paper, we propose "DE-authentication using Ambient Light sensor" (DEAL), a novel de-authentication technique that utilizes the built-in ALS of a computer to decide whether the user is leaving her work-desk.In particular, DEAL takes advantage of the fact that a user normally sits/stands closer (suggested between 16 to 30 inches [13]) to the computer while working.Thus, the user can affect the illumination perceived by the computer's ALS when she moves away.In the simplest case, the user directly blocks the Line-of-Sight (LoS) path between ALS and the light source.Nonetheless, the ambient lighting conditions around the computer's ALS can also be influenced due to partial blocking of its LoS, shadowing it, or even reflection of light towards it from the departing user's body (cf.Section IV).We design DEAL to analyze the changes in lighting conditions via ALS readings to decide whether the user is departing from her work-desk.DEAL intrinsically addresses the above-mentioned issues of the state-of-the-art works by its design, i.e., (1) no external equipment is required as ALS is built-in a modern computer, (2) ALS is low-cost that too is already included in the computer's cost, (3) no physical installation of hardware is needed, (4) it is simple to deploy its software, (5) no periodic maintenance is required as an ALS is generally longlasting and is powered directly by the computer, and ( 6) more importantly, it is user-friendly as the user is not required to carry or wear any apparatus.
Contribution: The contributions of our work are as follows: 1) We propose DEAL, a novel, unobtrusive, fast, and inexpensive de-authentica-tion approach that is suitable for modern computers equipped with a built-in ALS. 2) We thoroughly evaluate the performance of our proposed approach using data samples collected from 4800 sessions with 120 volunteers in 4 typical workplace settings.DEAL can attain an overall hit rate of 89.15% and a fallout of 7.35% to de-authenticate the user within 4 seconds.3) Finally, we compare DEAL with the state-of-the-art deauth-entication approaches and delineate their respective advantages and limitations.We argue that the said performance of DEAL comes without any extraordinary requirements, customization, or expensive equipment, which makes it suitable for practical adoption.Organization: The remainder of this paper is organized as follows.Section II presents a comparative summary of the related works.We elucidate our system and adversary models in Section III.We explain our proposed approach in Section IV and present its evaluation in Section V. Section VI elaborates on the salient features and potential limitations of our work.Finally, Section VII concludes the paper.
On another side, the need of user de-authentication arises after successful authentication of a user by the system.It is worth mentioning that a user's de-authentication by the system is independent of the authentication step.Therefore, the procedures for user de-authentication are distinct.One of the commonly used mechanisms for user de-authentication is the inactivity time-out approach.However, such an approach is ineffective because: (1) determining the optimal length of a static timeout interval is not straightforward, and (2) checking the user's presence/absence in front of the system is beyond its scope [3].Given the significance of user de-authentication to prevent lunchtime attacks, different mechanisms have been proposed that aim at continuously establishing the user's presence/absence near the system.
Kaczmarek et al. [2] propose Assentication to profile user's sitting posture.In particular, Assentication installs 16 pressure sensors in an office chair to capture a hybrid biometric trait by combining user's behavioral and physiological characteristics.Though Assentication has low false positive and false negative rates, it has two key limitations.Firstly, it has low permanence, i.e., the hybrid biometric trait that it captures naturally changes over time for a given user.Secondly, the cost involved is not trivial, i.e., about $150 per chair.While eye movement tracking has been previously employed to authenticate users [16], Eberz et al. [1] use gaze tracking to prevent lunchtime attacks.Their system continuously tracks the user's eye movements with high accuracy.Since gaze tracking requires its user to keep their sight in a particular direction, any head moment taking the sight away can generate false positives.Moreover, the cost of eye-tracking equipment hinders its large-scale adoption.Rasmussen et al. [6] propose a new biometric based on the human body's response to an electric pulse signal.Their approach involves applying a low-voltage pulse signal to user's one palm and measuring the body's response in the user's other palm.Apart from the cost of specialized hardware, engaging both hands of the users with pulse-response hardware restricts its general acceptability.Similarly, authors in the work [11] use ECGs to build continuous authentication systems that require end users to wear specialized hardware.
FADEWICH [7] measures the attenuation of wireless signals due to the human body for estimating the location of a user in a room, and the user is de-authenticated based on the user's estimated position.Their system uses 9 sensors in a fixed office setup to achieve very high accuracy.The major drawback of their approach is that the structure and setup of the office heavily affect the placement of sensors.Thus, each office requires customized positioning of sensors.Moreover, the presence and movements of other persons induce false positives.Keystroke dynamics technique [19] profiles a user's typing style.It is a simpler mechanism for continuous authentication, which is easily deployable and does not need specialized hardware.However, researchers [20] have shown that a brief training is sufficient to imitate typing pattern of the target users, even when their typing patterns are only partially known.DEB [8] instruments an office chair with two Bluetooth low-energy beacons.An application running on the target system monitors the signal strength of the received Bluetooth beacons.A human body present in the line of sight of a beacon affects the strength of the received signal, which is interpreted to keep the user logged into the system.Apart from interference due to nearby beacons, the lifespan and appropriate installation of Bluetooth beacons are the key concerns here.BLUFADE [12] employs deep learning algorithms to continuously detect the user's face in a webcam feed.However, using a camera feed for de-authentication carries apparent privacy concerns [21].Thus, the authors propose to obfuscate the webcam with a physical blurring layer (e.g., antireflective obfuscating film) and use blurred images for face detection.Such an approach hampers the normal usage of the webcam.More importantly, it does not address the possibility of reconstructing the user's facial traits from blurry images.
ZIA [10] proposes monitoring the proximity of the user via a physical token borne by the user.Such a token periodically exchange information with the target system over a secure channel, and in the absence of such communication the user is de-authenticated by the system.Similarly, ZEBRA [9] uses a wrist bracelet fitted with a gyroscope, an accelerometer, and a radio.When the user interacts with the system, the bracelet captures and shares the wrist movements with an application running on the system.The application correlates the wrist movements with strokes on the keyboard to establish the user's presence.The key limitation of these approaches is that the user is required to always bear the token/bracelet.Furthermore, the tokens/bracelets also require periodic recharging or replacement of batteries.Relevant to our work, researchers have used ALS for user authentication [22] and tracking a user's activities [23][24][25][26].

III. SYSTEM AND ADVERSARY MODELS
In this section, we describe the system and adversary models we consider in our work.Section III-A presents the deployment scenario of the proposed de-authentication mechanism, and Section III-B elucidates the potential threat maneuvers of an adversary.

A. System model
DEAL is designed for computers that come with a builtin ALS.The ALS data feed is processed in real-time by a simple application running in the background on the target computer.Since the primary goal of any de-authentication mechanism is to prevent lunchtime attacks that are prevalent at workplaces [1,2,8], our proposed system is expected to be used in common workplace setups.DEAL is absolutely unobtrusive.The user arrives at her work-desk, settles in her chair, logs into her computer (a desktop or docked laptop) via a preset authentication mechanism, uses the computer, and finally gets up to leave her desk.While the user prepares to depart from her desk, the system should automatically lock her out to prevent any unauthorized access.DEAL uses the lightintensity data feed from ALS to de-authenticate a departing user in real-time.
Contrary to state-of-the-art de-/continuous-authentication mechanisms [1,6,9,19], DEAL does not need the user to interact continuously with the system.In fact, there can be situations when the user is present at the work-desk, but not interacting with the system.For instance, the user may be using a smartphone, reading a document, or simply watching a photo on the system.In such scenarios, de-authenticating the user due to her inactivity is undesirable and can be annoying.

B. Adversary model
We assume that the adversary has physical access to the user's office and, consequently, to her computer.An office colleague, a visitor in the office, a business customer, or a housekeeping person are some representative examples of such an adversary that may be interested in getting access to her computer.Since the adversary does not know the login credentials required for logging in to the user's computer, the adversary's goal is to gain access to the user's running/authenticated session.
An adversary can try the following to bypass DEAL: (1) take the user's position (and control the computer) before DEAL can de-authenticate the user, or (2) manipulate light intensity perceived by her computer's ALS in such a way that DEAL does not de-authenticate the departing user at all.The former approach represents the typical lunchtime attack strategy.It is straightforward, yet effective if DEAL takes too long to de-authenticate.So, DEAL should operate fast enough to render such an attempt ineffective.The latter may involve using sophisticated tools.For instance, the adversary may use a custom beam of light to compensate for the ALS readings affected due to the departing user.Such a maneuver requires the adversary to know the exact light intensity levels observed by the target ALS when the user is departing, which may be possible by: (1) installing an ALS near the target's ALS (ineffective; as it will visible to the user), (2) compromising the target machine to get such information (beyond the scope of the lunchtime attack), or (3) physically approaching the desk to measure/compensate readings (essentially the same as the first approach; a fast operating DEAL will handle it).
On another side, a different type of adversary can focus on triggering false de-authentications, e.g., by turning the lights on or off in the room.Although such an action can annoy the user by incorrectly de-authenticating her, the adversary does not get access to the user's computer.Nonetheless, toggling room lights is a part of routine office activities.Such sudden changes in lighting conditions significantly affect the ALS readings and induce large outliers.Therefore, we can easily identify and adapt to new lighting conditions if such large outliers in the ALS readings are consistently present.

IV. PROPOSED METHOD
We now present the conceptual and intrinsic details of DEAL.The fundamental task of a meaningful deauthentication technique is to determine the user's presence in front of the computer.To this end, DEAL utilizes data feed from the computer's ALS.The illumination perceived by ALS can be affected due to the user's movements.As a representative example, Fig. 1 demonstrates that a user's movement of getting up/down from her chair can directly affect the ambient lighting conditions around the computer's ALS.Naturally, the scale and duration of such an impact depends on a variety of factors, e.g., how much/for how long the user has intersected the LoS path between ALS and the light source.We would like to highlight that though the light sources are typically roof-mounted (or, mounted high on the wall) in workplaces, the light source may not be in the direct LoS of ALS (cf.Fig. 1).However, a user's movements can still affect the lighting conditions around ALS.In particular, due to partial2 blocking, shadowing, or even reflection of light from the departing user's body.By measuring the changes in ambient lighting conditions through ALS readings, DEAL determines whether the user is departing from her work-desk, and subsequently de-authenticates her when required.We make the following two reasonable assumptions in the implementation of DEAL: (1) the user will continue to work in the same position (standing or sitting) as she was in while initializing the current login session, and (2) if the user was sitting, she will get up before leaving.It is worth mentioning that if the user is standing while working at her work-desk, she will likely be blocking ALS' LoS.Such a case is simpler to handle for DEAL.For the sake of brevity, the rest of the paper proceeds with the scenario in which the user is sitting while using her computer.
The data feed from ALS can be modeled as a univariate time series of the observed light intensity.Thus, DEAL where ∆ (a natural number) is a predefined threshold.Such sliding window average-based methods are typically designed to identify an outlier outside of the current trend in a time series.However, a single outlier may not be sufficient in our case to distinguish the user's movements correctly.Because an ALS can provide several readings -according to its operating frequency (f , in Hz) -within a fraction of time.Moreover, different user activities can last for a different amount of time, e.g., the act of getting up and moving away from the computer can take up to a few seconds.So, it is intuitive to say that if a user's movement intercepts ALS's LoS for a longer period of time, then it will affect more ALS readings.We design DEAL to incorporate the duration of impact on ALS to distinguish user movements.To this end, we define a parameter η (in seconds).While ∆ defines the minimum distance between an outlier and the average of running window (cf.Eq. 1), η specifies the minimum duration of time during which each consecutive 3 R should be an outlier for recognizing the user to be departing and subsequently de-authenticating her.
Our system has two more parameters, i.e., ω (in seconds) and ℓ (in seconds).ω defines the size of the sliding window.ℓ is a tuning parameter that defines the maximum duration of time from the occurrence of the first outlier in a wave of outliers, during which the required consecutive outliers should occur for user de-authentication.From the virtues of their respective definitions, η ≤ ℓ.The system will not work if η > ℓ, because it is impossible to have η (say 5 seconds) of consecutive outliers within a shorter ℓ (say 2 seconds).To simplify, ℓ separates waves of outliers.A larger value of ℓ enables us to process more values of R to satisfy constraints on η.However, a larger ℓ will cause a delay in resetting and recovering from a (short) wave of outliers.On another side, a larger value of η prevents false alarms due to subtle user movements.Algorithm 1 exhibits the pseudocode for the core logic of DEAL.
Since each ALS can operate at a different f , we begin with aligning ω and η to a given ALS via its f (lines 1-3).We next initialize the window and temporary variables (lines 4-6).We compare each reading from ALS with the mean of window (lines 7-9).If an outlier is found, a counter is incremented (line 10) while the time is recorded for the first outlier (lines 11-12).If R is not an outlier, the counter for outliers is reset (line 15), and R is adjusted in window (lines [16][17].It is noteworthy that the running window average directly 3 Our current implementation requires each consecutive R in η duration of time to be an outlier.We are aware that such a design decision can result in false negatives even when one of the values is not an outlier.However, such a stricter control helps us evaluate the minimum performance of our system.We can certainly optimize such checks to improve the system. Crrently, η works with a parameter ℓ to provide some relaxation to the system.if De-authenticate() end if 25: end while handles the natural shifts in lighting conditions.The user is de-authenticated if the required number of outliers (η ′ ) are found within ℓ seconds (lines [19][20].If the time elapsed since the first outlier in the current wave was seen exceeds ℓ, we reset window and temporary variables (lines 22-23).

V. EVALUATION
We describe our evaluation setup in Section V-A and data collection method in Section V-B.We discuss our experimental results in Section V-C.

A. Evaluation setup
We evaluate DEAL in a typical office setup.To this end, we created an office space illuminated with both natural and artificial lights.As shown in Fig. 2, our office setup has two ceiling-mounted white light sources that we keep on and a standard transparent window that allows natural light to come in.Though the half-glass door was kept closed during the experiments, its transparent glass portion in the upper half remained unobstructed.
To emulate typical work-desk positions with respect to the lighting conditions, we set up four work-desks at different locations in the room (cf.Fig. 2).In particular, position P1 emulates a position with lower lighting since it is far from the light sources.Moreover, a user working in position P1 may further block the illumination perceived by the computer's ALS.Being closer to light source 2, positions P2 and P4 represent normally illuminated positions.Lastly, position P3 has copious lighting.In our experiments, we used a Lenovo ThinkPad Yoga 370 laptop.It comes with a built-in ALS.We modified iio-sensor-proxy [27] to capture readings from ALS.It is important to highlight that we periodically checked the health of our computer's ALS using a phone-based ALS to avoid any bias or error in our ALS readings.

B. Data collection
To collect ALS data for our experiments, we invited student volunteers to participate in our study.A total of 120 students volunteered for our study over a period of 90 days.Since the volunteers belong the student body of a large university, the majority of them were naturally in the 18-24 age group.Fig. 3 shows the distribution of the self-declared age groups, sex categories, and height classes 4  Before beginning each instance of our data collection activity, we asked the volunteer to settle in a comfortable sitting/working posture at a designated desk.After which we started recording the data from the computer's ALS.At the same time, we asked the volunteer to use the computer normally for about a minute.Next, the volunteer was asked to get up and move away from the chair.It is important to highlight that to prevent any interference due to our operational activities, we remotely operated our computer to capture the data from its ALS.We also documented the time when the volunteer was instructed to get up in the activity; mainly for post-processing and analysis.Each volunteer repeated the entire activity ten times each on the four work-desk positions (i.e., P1, P2, P3,  and P4).Therefore, our dataset contains a total of 4800 data samples, i.e., 1200 data samples for each position.Fig. 4 depicts a random set of data samples collected from different positions during our data collection activity.As discussed in Section V-A, the four work-desks experience different lighting conditions.This phenomenon is also evident from the light intensity scales shown in Fig. 4 (a)-(d).We now briefly describe each plot shown in Fig. 4.
As depicted in Fig. 4(a), the ALS readings remain nearly constant as long as the user remains seated in P1.It is so because the body of the user is blocking the illumination coming from the distant light sources.The illumination perceived by ALS further drops when the user gets up.Intuitively, ALS receives a much higher illumination when the user completely moves away from the computer.
In case of P2 and P4, the light sources are located on the right side and left side of the computer, respectively.ALS on our computer is located towards top-right of the screen.Thus, the chances of a sitting user shadowing LoS between ALS and the light sources are lesser in P2 when compared with P4.As illustrated in Fig. 4(b) and Fig. 4(d), both P2 and P4 observe similar levels of light intensity.However, ALS readings in P2 before and after the user moves away are at the same level, which implies that in this particular case, the user was not shadowing ALS.On another side, ALS readings in P4 after the user moves away achieve similar levels as in the case of P2, which implies that in this particular case, the user was marginally shadowing ALS.
Unsurprisingly, the light intensity levels are the highest in P3.When the user moves away from P3 in the particular case shown in Fig. 4(c), ALS readings drop even lower than the levels when the user was sitting.A possible explanation of such a case is that the light coming from the sources in front of the user was being reflected by the user towards ALS when the user was sitting.Nevertheless, the ALS readings still clearly capture the movements of the departing user.

C. Experimental results
We empirically assess the quality of our proposed approach with real-world data.As explained in Section V-B, our dataset contains a total of 4800 data samples (i.e., 1200 data samples for each position) collected from 120 volunteers.We designed a series of experiments for a thorough analysis.We begin with investigating the general performance of DEAL.Here, we vary its input parameters to find a set of suitable configurations.Next, we study the effect of different positions (i.e., lighting conditions) considered in our work.Finally, we examine the impact of users' height.For a de-authentication system, false negatives are more severe than false positives.At the same time, true positives are also critical.Therefore, we report the hit rate 5 for each of our experiments.
An analysis of our data samples indicates that the volunteers took roughly two to four seconds to get up and move away from a work-desk.Thus, we set ℓ between 2 and 4 seconds to approximately cover the entire user movement.We observe that a portion of the ALS readings affected due to a user's movement can be treated, depending on the value of ∆, as nonoutlier.It is especially witnessed for the values corresponding to the start and end of the movement; such values can still be within the threshold because the window is not updated during a wave of consecutive outliers (cf.lines 9, 14-17 in Algorithm 1).Therefore, we choose η between 1 and 2 seconds, which is about half the time the volunteers took to move.The value of ω is fixed at 3 seconds while ∆ is chosen between 5 and 20 based on preliminary experiments.
We now discuss the generic performance of DEAL.TA-BLE I shows the hit rate of our system over the entire dataset of 4800 samples for different values of η, ℓ, and ∆.An increasing value of ∆ corresponds to the fact that a user should affect ALS readings substantially for the system to recognize it as an outlier.Thus, DEAL becomes resistive with increasing values of ∆.Such behavior is evident in each row 6of TABLE I.The performance of our systems is affected by η in a similar way.A larger value of η requires a longer duration of outliers, which becomes even more challenging to attain under our stringent requirement of outliers' consecutiveness.A comparison of values7 corresponding to increasing η over fixed ℓ and ∆ reflects the same.On another side, a larger value of ℓ enables us to process more values of R. The performance of DEAL improves with increasing value8 of ℓ over a given pair of η and ∆.From these experiments, we find ∆ = 5 and ℓ = 4s are suitable parameter values for DEAL.Since a larger η helps us avoid subtle user movements, we prefer η = 1.5s 5 Recall = Hit Rate = T P T P +F N = 1 − M iss Rate over η = 1.0s for our chosen values of ∆ and ℓ.With these values of of ∆, ℓ, η, we observed a fall-out 9 of only 7.35%.To understand the effect of different lighting conditions, we organize our dataset according to different positions (i.e., 1200 samples per position) considered in our study.TABLE II shows the hit rate of our system over different positions for η = 1.5s, ℓ = 4s.Our results indicate that DEAL performs better in P1, where most volunteers blocked the illumination observed by ALS while working at the computer.We see the steepest decline in the hit rate at P3. Since P3 has copious lighting, affecting ALS readings substantially for higher values of ∆ is complex.P2 and P4, which represent normally illuminated positions and have similar light intensity levels, obtain comparable results.Overall, our system performs competently for ∆ = 5 across different positions.Next, we consider the users' height in our study.Due to a disparity in the number of volunteers per height class, we take 250 (roughly half of the taller class samples) randomly chosen samples from each height class.Fig. 5 depicts the hit rate of DEAL over different height classes for η = 1.5s, ℓ = 4s.While our results for ∆ = 5 are alike across different height classes, DEAL favors taller users for increasing values of ∆.The rationale for such behavior is related to the fact that a taller user likely remains in the LoS path of ALS while working, and when such a user moves away, the ALS readings are affected sufficiently for DEAL to operate properly. 9F all Out = F alseP ositive Rate = F P F P +T N To conclude, we argue that DEAL yields an overall effective performance.In particular, our system attains such scores without any extraordinary requirements or customization, as seen in the case of state-of-the-art solutions (cf.Section I).DEAL can de-authenticate the user within two to (more realistic) four seconds (i.e., based on the value of ℓ).In a real-world deployment, an enrollment step at the end user's work-desk can help tune the system to function even better.

VI. DISCUSSION
We specify the key attributes of our work in this section.Section VI-A compares DEAL with state-of-the-art user deauthentication schemes and highlights its salient features.Section VI-B discusses the potential limitations of DEAL.

A. Comparison with existing de-authentication schemes
For a rigorous comparison among the key de-authentication solutions, we assess each one of them on a dozen crucial dimensions.TABLE III summarizes our comparison and underlines the prominent features and limitations of the key existing solutions.
One of the fundamental requirements for any consumer technology is its user-friendliness.In our context, it is directly related to the unobtrusiveness (cf.col. 1 ) of a given deauthentication solution and whether it compels the user to carry, wear, or bear anything extra (cf.col. 2 ).We find that ZEBRA, pulse-response, ZIA, and 1DMRLBP can cause inconvenience to the user by requiring them to bear a bracelet, a pair of electrodes, a token, and an ECG apparatus, respectively.The existing solutions can be further classified as biometric or non-biometric (cf.col. 3 ) and continuous 10or non-continuous solutions (cf.col. 4 ).Biometric-based solutions (i.e., gaze tracking, Assentication, pulse-response, key-stroke dynamics, BLUFADE, 1DMRLBP) are certainly difficult to evade (cf.col.6 ) as imitating someone else's biometry or behavioral patterns is highly complex.On the other side, some continuous solutions can be subverted.For instance, authors in the work [29] have shown that an attacker can evade ZEBRA via opportunistic observations.Both the biometric and continuous solutions are accurate.However, the performance of both the categories of solutions comes at the cost of: (1) a user enrollment phase (cf.col. 5 ) that can be laborious and time-consuming for the end-user, and (2) the cost of equipment required to capture their respective features is non-trivial.Only a few solutions are enrollmentfree.Regarding the difficulty of evasion, FADEWICH is not suitable for a densely occupied workspace, while the classic timeout approach fails to sense the user's absence.A user may not interact continuously with her computer (e.g., while attending a phone call).Thus, another key attribute of a user-centric de-authentication scheme is its support for a user's inactivity (cf.col.7 ).Timeout, ZEBRA, gaze tracking, and keystroke dynamics depend on user interactions, and thus they violate this objective.The main limitation of the majority of existing schemes is their dependence on external equipment for operation (cf.col.8 ).Such a dependence not only hinders their widespread adoption, but it can also spawn several related concerns, i.e., maintenance, physical customization, deployment complexity, and price.Only timeout approach, keystroke dynamics, BLUFADE, and our proposal do not depend on external hardware; thus, they are not generally affected by the consequent concerns mentioned before.
ZEBRA, DEB, and ZIA demand periodic recharging or replacement of batteries while Assentication requires maintenance of the wires that supply power to the chair.The external hardware in the other such solutions is powered directly by the target computer.Finally, all these solutions also involve the risk of physical damage to the external hardware that may seek a replacement (cf.col. 9 ).Some of the solutions that use external hardware require a particular installation of the equipment (i.e., gaze tracking, DEB) or even customization to workplace infrastructure (i.e., Assentication, FADEWICH).The user simply holds/wears the external apparatuses in other such solutions (i.e., ZEBRA, ZIA, 1DMRLBP, pulse-response).As discussed in Section II, BLUFADE requires affixing a particular physical barrier on the webcam (cf.col. 10 ).Regarding deployment complexity (cf.col.11 ), Assentication and FADEWICH are not simple to deploy in practice as they require alteration to infrastructure.Similarly, pulse-response involves complex handling of multiple apparatuses (arbitrary waveform generator, oscilloscope, brass hand-electrode, etc.).All the remaining solutions are simple to deploy even when they need particular placement of hardware (e.g., gaze tracking, DEB, BLUFADE).As far as the price is concerned (cf.col.12 ), gaze tracking employs an expensive eye-tracking device.Though the price of FADEWICH and pulse-response is unknown, we suppose they are slightly costlier as they use several sensors and apparatuses.The cost of the remaining schemes is low to medium.Finally, the number of subjects in the user/validation study could indicate the robustness of evaluation results, which is the highest in our case (cf.col.13 ).
In light of our analysis, we find that the state-of-the-art solutions lack a few or several vital characteristics of an effective and practical de-authentication scheme.On the other hand, DEAL is the only solution that possesses all these characteristics.Therefore, we believe it is the most useful and practical de-authentication scheme.

B. Limitations
We now ponder upon the potential limitations of DEAL. 1) ALS' presence: Our proposed de-authentication approach relies on an ALS.While ALS has been present on smartphones and tablets for a long time, it has only recently started to become available on laptops (e.g., MacBooks) and desktops (e.g., iMacs).Therefore, DEAL is futuristic and suitable for newer generations of computers.Nevertheless, one can attach a USB-powered ALS to use DEAL in the absence of a built-in ALS.
One related issue could be the physical placement of ALS on the computer.ALS (like other user-centric sensors, e.g., webcam) is generally mounted on the front side of the display screen.Our approach will work as long as ALS faces the users.For the sake of readers' convenience, Fig. 1 and Fig. 6 conceptualize DEAL on a laptop and a desktop, respectively.However, any unusual sensor placement (e.g., behind the screen panel) will render our system unusable.It is worth noting that such an unusual sensor placement could be suitable for portable devices, but not for computers that can be docked near a wall.2) False alarms due to passersby: A common phenomenon in any workplace setting is the movements of passersby (e.g., colleagues).We set up a separate experiment to investigate such a scenario.Fig. 7 shows different user positions, where A represents the legitimate user's standing position, B shows a passerby crossing too close to the target user, and C depicts a passerby away from the target user.We find that our system remains largely unaffected as long as a passerby (cf.C ) walks at some (about 2-3 ft) distance from the user.In particular, any wave of outliers, if induced, is sparse and short.On the other hand, our system de-authenticates the user when a passerby (cf.B ) comes too close to the user; as it affects the ALS readings.It can be seen as a false alarm.Nevertheless, such de-authentications can protect the user's privacy from shoulder surfers and onlookers.3) Violation of our assumptions: Our system will create a false alarm if the user changes her working posture (e.g., from sitting to standing).Similarly, it may possibly not de-authenticate the user if she moves away from her work-desk without getting up (e.g., by dragging the chair).Violating the assumptions or requirements of any given scheme will affect its functioning, and our work is no different.Nevertheless, one may see it as a limitation of our work.

VII. CONCLUSION AND FUTURE WORK
Both user authentication and de-authentication are essential operations for the security of a computer system.It is even more critical to de-authenticate a user in a shared workspace setting because an insider can gain access to the user's active session through lunchtime attacks.The research community has proposed different de-authentication and continuousauthentication techniques over the inactivity timeout-based method.The existing works unfortunately have various limitations, e.g., complex installation procedures, requirement of external hardware to assert user presence.In this paper, we propose a novel approach, called DEAL, that uses ALS present on a computer to de-authenticate the user.We assessed the quality of our proposed approach empirically in the real world.While being effective and fast, DEAL is also unobtrusive.
In the future, we would like to test DEAL in unconventional workplace settings, such as in a cafe or under different colored lighting.We will explore the possibility of assisting DEAL with machine learning-based classification techniques to further improve its performance.We will also investigate the effect of personalized tuning (e.g., via an enrollment stage for the end user) on its performance.

IRB APPROVAL
We obtained prior approval for our experiments from the Institutional Review Board (IRB) of the institute, where the experiments were carried out.The level of review recommendation was: Exempt.All participants were volunteers, who were informed of the actual use of the collected data, and their informed consent was obtained before starting the data collection process.No sensitive data was collected.In particular, no participant names, contact numbers, or other Personally Identifying Information (PII) was collected.The minimal identifying information retained was also anonymized.All the data was (and is) stored in an encrypted form.

Fig. 1 .
Fig. 1.A representative depiction of affecting illumination perceived by ALS.

Fig. 2 .
Fig. 2. The top view of our office setup.

Fig. 4 .
Fig. 4. A random set of ALS data samples collected from different positions.

Fig. 6 .
Fig. 6.A representative conceptualization of DEAL on a desktop.
of the volunteers.
Fig. 3.The distribution of age, sex, and height of the volunteers.

TABLE III A
COMPARATIVE SUMMARY OF THE KEY DE-AUTHENTICATION SCHEMES.