Duress PIN – What Is It and Why Would I Need It?

So what is this Duress PIN thing and how does it work? The name gives it away, let’s look at a dictionary definition of duress:

Note: The Duress PIN Feature is part of the iOS Pro feature set

The idea of a Duress PIN is simply that, if for whatever reason, you are in a bad situation where someone is forcing you to unlock your database, you can enter a different PIN than the correct one, and Strongbox will perform some kind of plausible action but not reveal your passwords/secrets.

You could be a human rights worker entering an authoritarian country with a no real commitment to personal freedoms or perhaps you’re simply someone who likes their privacy and wants to keep their secrets private. Sounds like a simple wish, but once you arrive at the customs port of your destination country, all bets may be off, the enforcers will want what they want or you’re not getting in. Maybe you work in a dangerous part of the world, and you fear some criminal elements may force you to reveal your banking details or similar. Whatever it might be, anyone could find themselves under duress.

So how do I setup my Duress PIN? The first thing you need to do is setup a regular non-duress PIN, what we call a convenience PIN. This allows you to open your Password Database with a short set of digits (like your ATM PIN). To do this, simply:

  1. Unlock your database
  2. Tap the “More” or “Ellipsis” (…) button in the top right corner
  3. Tap Database Settings
  4. Tap Configure PIN Codes
  5. Tap ‘Turn Convenience PIN On
  6. Now enter a PIN Code, you’ll now be able to Unlock your database with this PIN Code.

Next we will want to setup a separate PIN, our Duress PIN. To do so, let’s go back to that PIN Configuration screen:

  1. Down in the Duress PIN section, tap ‘Turn Duress PIN On
  2. Enter a PIN, different this time than your regular convenience PIN.

Once done, you’ll notice that the ‘When Duress PIN Entered‘ section is now enabled and you can choose from the three available options. Let’s have a look at these options in turn and see what they do:

  1. Open a Dummy Database
    • This might be the most ‘stealthy’ option of all. Strongbox will open a database so it looks just like your Duress PIN worked. You can actually edit this database to make it look as realistic as possible. Think of it perhaps like a decoy wallet. You want something that looks plausible (e.g. old expired credit cards, maybe even a few dollars!). So you probably want to spend some time setting this up, just don’t enter your real secrets/passwords.
  2. Present a Technical Error
    • A fairly straightforward response, a reasonable looking error message will popup. Simple yet effective.
  3. Remove Database from Strongbox
    • This is sort of the nuclear option. The database will be removed from Strongbox completely. If your database is stored on a remote provider somewhere it won’t be touched, so don’t worry. It will just not be visible or accessible from Strongbox without re-adding it. However if someone is watching you while you do this it might be obvious you’ve done something to thwart them.

Those are your options, and you’ll need to choose which one suits your particular scenario best. We can’t offer advice on this, only you can decide. Indeed, you will need to decide if you want to use this feature at all. Take a look at our short note of caution below before deciding if using a Duress PIN is something you really want to do. Another option you may consider is to simply remove the database from Strongbox completely during transit in and out of problematic territory. You can re-add your database once you’re safely through that tough jurisdiction, or sticky situation.

A Final Note of Caution

It may actually be illegal or counter productive to enter a duress PIN in some situations, because if you get caught somehow doing this, the relevant forces/legal authorities may consider this as a deceptive act and may take punitive measures against you. This is something you’ll need to consider as part of your particular situation and threat model. It is worth examining how your target jurisdiction will react if you somehow were discovered to be using a Duress PIN in a situation like this. Strongbox only provides this powerful option, the choice then, is entirely yours.

Recommended Posts