Duress passwords and other side effects

Fifteen years ago when we built our house, we had a home security system installed.  It has the usual alarm panel with a keypad inside the door.  When you come in the house, you have 30 seconds to key in your password to stop the alarm from going off.

If the alarm does go off, the monitoring company will call you to find out if it was a mistake or a real alarm.  Each authorized user has a passcode to authenticate themselves to the monitoring company.  You can’t have the burglar answering the phone “No problem here! False alarm…”

In fact, there are two passcodes, one authenticates you, and the other is a duress password.  If the burglar is there with you, you use the duress password, and the monitoring company behaves exactly the same way, but they also call the local police for you.  It is important that the burglar cannot tell the difference.

It seems to me that ATM cards should have duress PINs as well as real ones.  If a criminal says “type in your ATM pin or else” then fine, you enter the duress PIN.  The ATM behaves exactly the same way, but the bank alerts the police and sends them the surveillance video.

Duress passwords have a lot of other potential uses.  If your school principal demands your facebook password, you give up your duress password.  What happens next could depend on which password you give.  At the extreme, your whole account could be deleted.  It could be archived on servers out of legal jurisdiction, your stuff visible only to friends could seem not to exist for a week.  Whatever.  Options that appear not to do anything are best, because then the school admins can’t tell you have disobeyed them and suspend you.

While I am riffing, there should be a  phrase you can say, like “I do not consent to this search” or a similar account setting, that makes the administrator’s access an automatic CFAA violation. (I think the CFAA should be junked, but if not, it should be used to user’s benefit, not just the man’s.)

Finally, regarding authentication, there should also be two-factor authentication for everything, and single-use passwords for everything.  Why not?  Everyone has a nice computing device with them at all times.  Of course your phone and the authentication app should have a duress unlock code.

So next time you are building an authentication structure, build in support for one-time passwords, two factor authentication, and a flexible set of duress passwords.