Why is it important to have multiple duress pins/passwords? For example, if someone asks me for the password and I provide one of the duress passwords, having multiple options ensures that any attempt to try different codes will trigger data destruction.
Importance of Multiple Duress Pins/Passwords
So if you use a number lock in 1 profile and a word password in profile 2 and a corrupt officer threatens to beat the heck out of you unless you unlock, if you are at a password screen with the keyboard and no numbers showing and say the duress password is 9050, the corrupt officer may go "this makes no sense," and if you at a number password screen and say the password is "cumquat all over my kiwi" then the corrupt officer may say "this makes no sense."
However, if you are at the keyboard screen and you say that the secret password is "cumquat all over my kiwi" and that's the duress password, and the corrupt officer enters it, then your data is irretreivably destroyed. (You may also get beaten, but in a really bad situation that may be the better option.)
I would love to see this implemented for one reason: I want "1234" "0000" and "9999" to be there for anyone attempting to brute force, and "XXXX" for anyone who is asking for me to give it up. (Nobody would believe someone who takes security seriously has "1234" as his PIN, so the two options are at odds with the other as far as implementation. Having multiple allows both scenarios to be adequately addressed.)
xmachina Correct me if I'm wrong but I don't think you should include easy passcodes such as 1234 or "password" as duress codes. What if someone enters these codes as a joke or a child idk steals your device? If you have a good enough main password an attacker wont be able to manually guess or bruteforce your password anyway.
notahuman Should a corrupt officer threaten me physically, he is definitely getting duress password. On the other hand, if any investigator asks for your password, in a lot of jurisdictions, you have the right to remain silent and not provide it to him or her. If you are denying access to an investigator, never talk about the contents of your phone. As far as biometrics are concerned, they are not protected under the law like passwords are in a lot jurisdictions, so that shoukd be considered in your scenario. I don't use biometrics and i have a sophisticated password and a slightly less sophisticated duress password. I have auto reboot set appropriately for my needs.
- Edited
A small addition on the subject of Duress PIN and brute forcing:
Duress PIN/password is an OS feature without secure element support. An attacker successfully exploiting the OS can try the duress PIN/password without risking a wipe since they can control the OS. In theory, the secure element could implement duress PIN/password support by having a 2nd authentication token for each Weaver slot which wipes the Weaver token instead of providing it. There's no way for GrapheneOS to implement this without having our own hardware where we can add secure element features. We can explicitly document this in the future usage guide section.
Source: https://discuss.grapheneos.org/d/13155-grapheneos-version-2024053100-released/48
ticklemyIP In practice, I would never let a child have my phone :) In all seriousness though, I didn't put any thought into the examples, and I probably should have.
As far as why, I specifically want fail-fast in case of tampering. I do have a good password, but currently I am limited by using my phone often enough to warrant a lesser password than I'd prefer. I'm hoping the new 2FA unlock comes out soon so I can beef up the password without usability issues, in which case the fail-fast will be less important/strict.
It seems that this requires the exploitation of the BFU. Then you can bypass the duress pin
What about setting the amount of passwords tries allowed to 10 before erase? Wouldn't this make a slightly less than desired password a lot stronger?
locked I currently have it set to 3. I consider my phone a liability, so I take the layered, redundant, nuclear approach. While I'd really like to have the option to recover important things, those things aren't critical.
As a note, if/while it may seem paranoid, I have some unknowns I have to deal with and therefore overkill is the goal.
[deleted]
xmachina How to enable this?
I use an app called Sentry. me.lucky.sentry