Duress mode please, International Travel warrants it

This topic was closed on account of being silly, without fully exploring the legitimacy of the need for this feature.

Let's first catch up on the world of security, what it's been doing and where it's potentially going

I think the problem remains the same. Anyone who is sufficiently motivated to force you to enter your password under duress either already knows about the "duress mode" and won't buy it or will become much more upset with you when none of the passwords actually work.

This is false, similar to TrueCrypt and it's many predecessors that picked up after it, such as VeraCrypt, the idea is that you can have false data that has the appearance of being sensitive. "Outer vs Hidden Volume". Who said the passwords don't work, or that you cannot have dummy data within the database?

A border patrol agent can ask for any passwords they please, Facebook, Instagram, even your 1Password password. What happens if you store your SSH or PGP keys or other forms of Private Keys and your device is downloaded? What happens if the border patrol agents know what to do with this data? You could be pwned before you can get to a public wifi, activate your VPN and update your digital fingerprint.

Duress-mode seems to be a fully reasonable request for a company responsible for keeping the keys of its users safe. The only, and best solution for the unlikely but possible situation of duress, is a duress mode. Very simple: user enters a duress password, and 1PW opens only the Duress vault. I feel as though it's an important subject to talk about and not dismiss as being paranoid or superfluous.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    This topic was closed on account of being silly, without fully exploring the legitimacy of the need for this feature.

    @5andwich: That's an incorrect assumption. Discussions are automatically closed after a long period of inactivity, and that one in particular is nearly 4 years old. It sounds like your statement "dismiss as being paranoid or superfluous" may have been based on that assumption as well, given that no one in that discussion was being dismissive. The only real solution is to not have this data on the device in the first place however, as "security by obscurity" is not really security at all, and that's what was being discussed. That may sound "dismissive", but I think there's a difference between dismissing a suggestion for good reason after serious consideration and ignoring it outright in a dismissive fashion. I feel like the former is demonstrated in the older discussion, and I'll try to do the same here in light of today's landscape.

    A border patrol agent can ask for any passwords they please, Facebook, Instagram, even your 1Password password.

    There's certainly a case for something to help with these situations. As you might imagine, this is something we're very much concerned about ourselves: keeping anyone unauthorized out of our data. Fortunately we don't ever have access to our customers' data (since you hold the keys to your data), but having someone gain unauthorized access to internal systems is still not acceptable for business and privacy reasons (customers entrust us with their names, email, and in some cases addresses, for example). So going back to what I mentioned earlier, one of our procedures is to remove sensitive information (accounts, data, etc.) from our devices when traveling.

    In your scenario, having a vault with phony data won't be sufficient anyway. If they're asking for these things, they're likely to try to get into your Facebook account, for example, and then they find one of three things, depending on how it's setup: 1) no Facebook login credentials, 2) a dummy Facebook account which probably won't be very convincing, or 3) an elaborate dummy Facebook account that you'd have to go to a great deal of trouble to maintain to look convincing -- and at that point it probably has some useful information anyway (history, devices/browsers, targeted ads, etc.), just by virtue of using it even in an intentionally misleading capacity. What I'm trying to say is that if we follow this to its logical conclusion, it's a big mess. It's much simpler to delete 1Password from your device temporarily and then sync your data back when you're through security. Obviously that doesn't cover all hypothetical "duress" scenarios, but that's impossible anyway. We have some alternative ideas and are open to others, but fake data is going to be either unconvincing or incredibly burdensome to manage.

    I think the problem remains the same. Anyone who is sufficiently motivated to force you to enter your password under duress either already knows about the "duress mode" and won't buy it or will become much more upset with you when none of the passwords actually work.

    This is false, similar to TrueCrypt and it's many predecessors that picked up after it, such as VeraCrypt, the idea is that you can have false data that has the appearance of being sensitive. "Outer vs Hidden Volume". Who said the passwords don't work, or that you cannot have dummy data within the database?

    It's certainly easy to imagine that and say so. But if you're ever unfortunate enough to be in a situation like this, I think you'll find it otherwise. Anyone in a position to demand such things of you is also in a position to not take your word for it that what you're presenting them with is everything you have. And again, someone has to create this false data and make it convincing. 1Password can't do that because then everyone would suspiciously have the same vault, and there are few of us who have the time and inclination to maintain an entirely separate digital life for this purpose.

    Duress-mode seems to be a fully reasonable request for a company responsible for keeping the keys of its users safe. The only, and best solution for the unlikely but possible situation of duress, is a duress mode. Very simple: user enters a duress password, and 1PW opens only the Duress vault.

    It's really a stretch to say not only that this is a good solution, but the only one. These are all things we're acutely aware of and strongly motivated to find a good solution for though, but trying to fool an attacker -- especially one that's even somewhat sophisticated and/or motivated -- isn't any kind of security and we're not going to offer it and present it as such to 1Password users. Unlocking your phone and not having 1Password means that no one will ask you for access to it in the first place. It's not ideal, but we don't live in an ideal world. I think there's cause to be optimistic though, both for the rest of the 21st century and for 1Password, because there's plenty of room for improvement in both.

  • 5andwich5andwich
    edited April 2017

    Thanks for your detailed response, I perhaps may have been somewhat presumptuous in my assumption that the topic was dismissed. I ended up doing something close to what you suggested for my computer, and have instead changed my phone and OS entirely to SilentOS to support hidden applications. (Which took a bit of extra work with 1PW, as I could not install it out of the box for some reason)

    This brought up another question, is 1Password portable, and if not, can it be made Portable? Meaning, can it be run it off a USD Drive, or a mounted drive?

  • BenBen AWS Team

    Team Member

    Hi @5andwich

    Glad to hear you were able to come up with a solution that works for you.

    This brought up another question, is 1Password portable, and if not, can it be made Portable? Meaning, can it be run it off a USD Drive, or a mounted drive?

    At present: no. We do not currently have plans to make the 1Password apps portable. We do, however, have the 1Password.com web interface for 1Password.com account holders.

    Thanks!

    Ben

This discussion has been closed.