Welcome!

Cloud Security Authors: Donald Meyer, Elizabeth White, Pat Romanski, Liz McMillan, Jose Diaz

Related Topics: Cloud Security

Cloud Security: Blog Feed Post

Why Passwords Will Remain Relevant: Duress

Duress password expiry is an interesting policy issue

With the continued rise in home-based and mobile working, the possibility of people being forced to access and potentially modify data during encounters with ne’er-do-wells becomes a genuine security issue.

For example, while there haven’t been many cases reported yet, the time will come when the kid lurking in the alley with the switchblade, isn’t just going to want to part you from your smartphone or tablet, but is also going to want to part you from the contents of your bank account, with it. A recent issue of FSTech (http://www.fstech.co.uk/), a UK-based financial services technology magazine, stated that banks are concerned about the lack of uptake of mobile banking solutions; my guess is that the duress situation, is one of the reasons people are averse to doing their banking “on the go”.



There are actually three categories of duress, these being:

  • local: a threat to your person, which will be exercised unless you do what you are told (eg: a gun to your head)
  • divorced: a threat to your family or other people you personally care about (and who are in a different location), which will be exercised unless you do what you are told (eg: a gun to your wife’s head)
  • remote: a threat to individuals unknown to you, which will be carried out unless you do what you are told (eg: a bomb in a populated area).

Taking this into account, it’s possible that a well-designed system which authenticates users based on a username and password would require up to 4 passwords per user – one for legitimate login in a normal situation, and three more, one for each type of duress! All these different categories may be required, as different workflow actions would be desirable based on the nature of the duress; although depending on differences in actions between duress types, some categories may be collapsible. For example: Local duress:

  • log me in, increase the level of user activity logging on my account, start signing logs to ensure evidential integrity (if not done already)
  • take snapshots of databases to which I have access, my home directory, etc, such that activities I perform can be rolled back
  • alert security or law enforcement personnel as to my location and the fact I’m in peril, request their intervention

Divorced duress:

  • log me in, increase the level of user activity logging on my account, start signing logs to ensure evidential integrity (if not done already)
  • take snapshots of databases to which I have access, my home directory, etc, such that activities I perform can be rolled back
  • alert security or law enforcement personnel to my location and the fact that folk I care about are in peril, ensure appropriate authorities are informed, but remain on standby

Remote duress:

  • log me in, increase level of user activity logging on my account, start signing logs if not done already
  • start backups / snapshots of databases to which I have access, my home directory, etc, such that activities I perform can be rolled back
  • alert security or law enforcement personnel to the fact that there is a threat to some remote location which can’t be disclosed right now, ensure appropriate authorities are informed, and remain on standby

…or whatever is considered appropriate for the situation, by organisational policy; in the case of a bank being alerted of a duress situation by a customer, transactions between institutions across the SWIFT network would need to be flagged as being allowed to proceed, but in such a manner that they could be reversed once the situation is resolved. While tokens, biometrics etc can all be employed to authenticate individuals to systems, only a password – or some other secret known only to the legitimate user, such as an order in which to press fingers to a biometric reader or a PIN to type into a token – can be substituted for an equivalent but different password to indicate duress, in a manner which cannot be observed and identified by whomever is present and causing the duress. In this respect, in a classic “defence in depth” approach to security, a duress password is “the last line of defence” available to an imperiled user. With access to data and services now being available to a typical individual anywhere there is a 3G signal, the likelihood of users finding themselves under duress at times when they have the ability to connect to systems and engage in transactions will only increase. In terms of implementation, there are three primary places where changes would need to be made in order to implement a duress system:

  1. The user directory schema would need to be extended to include duress passwords
  2. the authentication system itself would need to be extended to support entry and change of duress passwords, as well as requiring a command / control interface to the user transaction systems in order to implement logging and snapshot / rollback changes as required
  3. an out of band alerting system will need to be either installed or updated, to meaningfully communicate duress details

Duress password expiry is an interesting policy issue; I would expect a password would only be required to be changed after use if at all, as its use will hopefully be a very rare event indeed.

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder and partner at Cognitio Corp and publsher of CTOvision.com

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
WebRTC is bringing significant change to the communications landscape that will bridge the worlds of web and telephony, making the Internet the new standard for communications. Cloud9 took the road less traveled and used WebRTC to create a downloadable enterprise-grade communications platform that is changing the communication dynamic in the financial sector. In his session at @ThingsExpo, Leo Papadopoulos, CTO of Cloud9, will discuss the importance of WebRTC and how it enables companies to fo...
SYS-CON Events announced today that MangoApps will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. MangoApps provides modern company intranets and team collaboration software, allowing workers to stay connected and productive from anywhere in the world and from any device. For more information, please visit https://www.mangoapps.com/.
Companies can harness IoT and predictive analytics to sustain business continuity; predict and manage site performance during emergencies; minimize expensive reactive maintenance; and forecast equipment and maintenance budgets and expenditures. Providing cost-effective, uninterrupted service is challenging, particularly for organizations with geographically dispersed operations.
SYS-CON Events announced today TechTarget has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY, and the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. TechTarget is the Web’s leading destination for serious technology buyers researching and making enterprise technology decisions. Its extensive global networ...
SYS-CON Events announced today that EastBanc Technologies will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. EastBanc Technologies has been working at the frontier of technology since 1999. Today, the firm provides full-lifecycle software development delivering flexible technology solutions that seamlessly integrate with existing systems – whether on premise or cloud. EastBanc Technologies partners with p...
SYS-CON Events announced today that Tintri Inc., a leading producer of VM-aware storage (VAS) for virtualization and cloud environments, will exhibit at the 18th International CloudExpo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, New York, and the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that BMC Software has been named "Siver Sponsor" of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2015 at the Javits Center in New York, New York. BMC is a global leader in innovative software solutions that help businesses transform into digital enterprises for the ultimate competitive advantage. BMC Digital Enterprise Management is a set of innovative IT solutions designed to make digital business fast, seamless, and optimized from mainframe to mo...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, wh...
SYS-CON Events announced today that Alert Logic, Inc., the leading provider of Security-as-a-Service solutions for the cloud, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Alert Logic, Inc., provides Security-as-a-Service for on-premises, cloud, and hybrid infrastructures, delivering deep security insight and continuous protection for customers at a lower cost than traditional security solutions. Ful...
The IoT is changing the way enterprises conduct business. In his session at @ThingsExpo, Eric Hoffman, Vice President at EastBanc Technologies, discuss how businesses can gain an edge over competitors by empowering consumers to take control through IoT. We'll cite examples such as a Washington, D.C.-based sports club that leveraged IoT and the cloud to develop a comprehensive booking system. He'll also highlight how IoT can revitalize and restore outdated business models, making them profitable...
The essence of data analysis involves setting up data pipelines that consist of several operations that are chained together – starting from data collection, data quality checks, data integration, data analysis and data visualization (including the setting up of interaction paths in that visualization). In our opinion, the challenges stem from the technology diversity at each stage of the data pipeline as well as the lack of process around the analysis.
SYS-CON Events announced today that Commvault, a global leader in enterprise data protection and information management, has been named “Bronze Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY, and the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Commvault is a leading provider of data protection and information management...
Designing IoT applications is complex, but deploying them in a scalable fashion is even more complex. A scalable, API first IaaS cloud is a good start, but in order to understand the various components specific to deploying IoT applications, one needs to understand the architecture of these applications and figure out how to scale these components independently. In his session at @ThingsExpo, Nara Rajagopalan is CEO of Accelerite, will discuss the fundamental architecture of IoT applications, ...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York and Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty ...
As cloud and storage projections continue to rise, the number of organizations moving to the cloud is escalating and it is clear cloud storage is here to stay. However, is it secure? Data is the lifeblood for government entities, countries, cloud service providers and enterprises alike and losing or exposing that data can have disastrous results. There are new concepts for data storage on the horizon that will deliver secure solutions for storing and moving sensitive data around the world. ...
18th Cloud Expo, taking place June 7-9, 2016, at the Javits Center in New York City, NY, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises are using some...
SoftLayer operates a global cloud infrastructure platform built for Internet scale. With a global footprint of data centers and network points of presence, SoftLayer provides infrastructure as a service to leading-edge customers ranging from Web startups to global enterprises. SoftLayer's modular architecture, full-featured API, and sophisticated automation provide unparalleled performance and control. Its flexible unified platform seamlessly spans physical and virtual devices linked via a world...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, will provide an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life ...
In his session at 18th Cloud Expo, Bruce Swann, Senior Product Marketing Manager at Adobe, will discuss how the Adobe Marketing Cloud can help marketers embrace opportunities for personalized, relevant and real-time customer engagement across offline (direct mail, point of sale, call center) and digital (email, website, SMS, mobile apps, social networks, connected objects). Bruce Swann has more than 15 years of experience working with digital marketing disciplines like web analytics, social med...
Join us at Cloud Expo | @ThingsExpo 2016 – June 7-9 at the Javits Center in New York City and November 1-3 at the Santa Clara Convention Center in Santa Clara, CA – and deliver your unique message in a way that is striking and unforgettable by taking advantage of SYS-CON's unmatched high-impact, result-driven event / media packages.