Protecting Sessions with Presence Detection

One of the more difficult aspects of implementing Identity & Access Management solutions is properly managing the security of a user session after authentication. Traditional systems rely on things like timeout counters to determine when a user has stopped using their computer.  Once a timeout occurs, the operating system or application will force a logout to occur.

On even the most cursory review, it is easy to see how this approach is flawed. If the timeout is too long, a malicious user could simply wait until the authorized user has left their computer and take over the session. Typical timeouts are 20 minutes which gives an interloper plenty of time to gain access to a neglected session.  Solving this problem by shortening the timeout can cause users to login more frequently, impacting productivity and creating frustration.

The response to this is to train users to logout when they leave their computer unattended.  But, this can be inconvenient and unproductive, particularly in demanding environments where time — even a few seconds — is at a premium.

What if a user’s presence in front of a computer could be detected and, when he/she is no longer present, have the session lock automatically?  This is the premise behind Viion Systems‘ Sentinal Sign-Off solution.

Using standard web cams the system automatically scans and detects a user’s facial features. Once authenticated, the camera will track those unique features and automatically lock the session when the user is no longer present. Upon the user’s return, the Sentinal software will detect the correct facial image and the session is automatically unlocked.

Viion call this ‘Active Presence and Identification’ technology and it is specifically designed for those situations where highly sensitive data is accessed and where a short timeout configuration would introduce unacceptable inconveniences.

It can also be used in organizations that want to prevent users from sharing a session.  For example, two users at a counter service may have one computer to share. In many cases, they will simply leave their session running while a co-worker accesses applications under the first user’s credentials. Obviously, this practice would not be compliant with the security policy at many organizations.  The Sentinal Sign-Off system can eliminate this weakness.

It is worth noting that the system does not need to store the facial image or video data.  It establishes a link between the session and the individual for as long as the session exists, then discards the data. User privacy concerns should not be an issue with most implementations.  (It does have the capability of recording and storing images, but this is not required for the solution to work.  The recording of images feature can be used for specific security cases that clients may have.)

I had a demo of Sentinal Sign-Off system last week, and can confirm it operates as advertised.  One handy feature is that when it ‘loses sight’ of the user, it will show a countdown.  When you return to the field of view, the countdown stops.  The demo showed how a Sentinal login screen is displayed after session locking, but the company assures me that it can pop up a Windows or application login screen if required.

Viion’s system isn’t the only method that can be used to meet this business needs. Sonar, proximity devices and pressure mats all offer similar capabilities — but each has its own limitations.  For example, sonar cannot distiguish between people and inanimate objects.

Aside from some great user convenience, this looks like a solid session management system for niche business needs.  I can see it working well with health services applications, financial systems and certain operations consoles where there is a demand high security while maximizing user convenience.


Author: code

Mike Waddingham is senior Information Technology management consultant with over 30 years of industry experience. He is the owner of Code Technology Corp.