Duress detection for authentication attacks against multiple administrators

Abstract

An authentication system is duress-resistant if it allows a user or system administrator to covertly send a silent alarm during the login process, indicating that they are being forced to authenticate against their will. The adversary knows that the system has this feature, e.g., if two passwords are used (one normal and one duress) then the adversary will demand from a victim both passwords. We require that the adversary is not able to distinguish a non-cooperating victim from a cooperating victim, even if there are multiple victims some of whom cooperate while others do not. To avoid a false alarm, we also require that the probability of a user accidentally sending a duress signal (e.g., through typos) is small. After arguing that existing techniques are inadequate for such requirements, we present our design and implementation of a duress-resistant authentication system that can be used by any number of administrators and users. Our system is compatible with existing authentication systems, and can be implemented as an augmentation of their capabilities that does not require modification of their internals.