Nowadays, personal identification number (PIN) is one of the most popular methods for identity verification. However, recent researches show that attackers can easily recover victims' PINs in spite of the large number of combinations PIN provides. Existing protection approaches require alteration of the original interaction between the user and PIN-based authentication systems, or still fail if the attacker can observe and mimic the victim's input behavior. Considering these limitations, we propose a defense system called LightDefender to protect current PIN-based systems from PIN replay attacks using a single ambient light sensor. Specifically, we protect the PIN input by leveraging the biometrics in the received light intensity that is influenced by input behaviors and biological features. To our best knowledge, our work is the first one to protect PIN input using the light intensity. Different from existing approaches, LightDefender does not change the original interaction methods between the user and PIN-based authentication systems, and the extra hardware cost is low. In addition, by leveraging biological differences (e.g. finger length) among different users, LightDefender still claims high-security protection against strong attackers who can mimic the victim's input behaviors. Experiments with 10 volunteers show that LightDefender can achieve an average true acceptance rate of 95% for normal users. More importantly, LightDefender can correctly reject two types attackers with an average true rejection rate of at least 93.6% without data of new attackers.