Login under Duress
On my recent post “Mathematical Strength of Login Credential”
I found this inviting comment — “The more pragmatic and cheapest way to “brute force” a password is ask the user. Option 1 “ask gently” (money). Option 2 “ask brutally” (at gunpoint). Either way the result is 99 percent guaranteed in short times. Well… unless there’s a “duress protocol” in place; which is, and for good reasons, rare outside of the military…
I replied “It is already taken care of since 2003 . Watch this video — “High-Security Operation on PC for managers” https://www.youtube.com/watch?v=UO_1fEp2jFo “
At 2 minutes 40 seconds, you will be watching the registration page, on which you find a box for ‘Yes or No ‘ for “Emergency PassSymbol”. Click ‘Yes’ and you will be able to register an extra image as a duress code.
The bad guy who is forcing the user to make a login under duress without knowing how many images the user had registered, would have no idea of whether the user selected an extra image or not, whereas the software would detect it, allow the login and guide the bad guy to a dummy data section while silently sending a real-time alarm to security personnel.
This function had been implemented a decade before Japan’s Army talked to us; We did not assume that such duress alarming function would be rarely appreciated outside the military but anticipated that the more digital assets are piled up in the digital space, the more frequently the cases of forced login under duress will happen.
Digital identity blogs collected at https://www.linkedin.com/pulse/collection-digital-identity-comments-hitoshi-kokumai-posted-kokumai/