Border search safe TOTP authenticator app?

10 points by jakedata 11 hours ago

While crossing international borders, a traveler may be legitimately asked to provide access to their devices. Such a person is often not in a position to refuse.

I am searching for a dual-pin TOTP app that looks like it is working whether it is or not. Entering the wrong PIN might cause the app to generate invalid codes while optionally wiping the real config.

Actually attempting to use the invalid code could potentially trigger all kinds of actions on the server that received the bogus login request. Sending an SOS email might be one such action.

I am not sure such a thing exists in either major app store. Thoughts?

jasonpeacock - 10 hours ago

FYI, you're asking about duress codes[1] - it may help your search to use that term.

[1] https://en.wikipedia.org/wiki/Duress_code

Nextgrid - 9 hours ago

You need to re-evaluate your threat model and change your approach. As others have said here, a TOTP that doesn't work would attract more attention that one that does or one that outright doesn't exist, all the way up to escalating the encounter from casual privacy-conscious user to alleged spy.

The best way is to legitimately not have anything on the phone or your online presence that would cause problems, and then just be transparent (honestly, they're not after your nudes or embarrassing texts). A lot of border checks are based on feelings and if you look the part they'll quickly flick through the phone for obvious stuff they're after and will let you go once they don't find it.

If you are actually doing something that would cause issues, then you keep this off the local device and onto a remote one. Use a YubiKey or other dual-use authenticator (that gives you plausible deniability for having it - you can use the same key on benign social media accounts, etc) to access it from a secure device once you're through.

wkat4242 - 7 hours ago

Also, the obvious: don't visit countries with border device searches.
I can understand customs looking for suspicious contraband. We all want drugs confiscated. But data is easier to transport across borders online than on a person's device. If they're looking for hints of terrorism these can be done also after entering the country with the proper warrants.
The only reason these are done is just theater and muscle flexing/bullying. They don't serve a real purpose. And the countries carrying these out are just trying to look tough.

slau - 9 hours ago

Just store the TOTPs you actually care about on a Yubikey. Leave a few “worthless” TOTP in whatever TOTP app you use. Remove the Yubico Authenticator app before crossing the border.

ahazred8ta - 3 hours ago

Note: there are more comprehensive border-crossing security guides

https://freedom.press/digisec/guides/

xxpor - 10 hours ago

Be very careful with your threat model here. If an agent attempts to use the codes and they don't work, and they find out there's a dual pin mechanism, you could end up in more trouble than with whatever they'd have seen in the first place.

mrsilencedogood - 10 hours ago

Yeah, people love to LARP being Snowden but never actually have anything even theoretically worth being sent to border-jail over protecting.
And, if you do, and you're really asking hacker news for opsec advice, I would suggest you abandon your career as a super-spy or whatever you're doing, because you're doing it very wrong.
- soraminazuki - 7 hours ago
  
  This is the nothing to hide argument dressed up with hyperbole, straw men, and insults. You're making fun of people protecting basic human rights.
- jakedata - 10 hours ago
  
  Not a superspy. Oblig: https://xkcd.com/705
  - ectospheno - 10 hours ago
    
    Have a phone just for travel. Different account. Only have things you actually need during travel on it. Turn on a cheap plan when you need it. If they ask for something just say you can't remember and let them keep it.

altairprime - 10 hours ago

Memorize one TOTP key for a cloud offering; then store the rest in it. 1password, Lastpass, etc. It’s not that much longer than a Windows product key, and I still know one of those.

The secret key is just an RNG output so you could also take it in 4 byte chunks and memorize 16 PRNG inputs that generate each the 4 bytes.

Or you could memorize a passphrase, take a sha2 hash of it, and then memorize a single PRNG input that spits out the bitstring diff between the hash output and the TOTP key. That way you aren’t wholly dependent on memorizing numbers and you can still safely use a more predictable and weak ‘PRNG’ that can amplify the bitstring salt out of an input.

etc.

esbranson - 9 hours ago

Lying to US officials is 5 years in prison. Per instance. One assumes other countries have similar laws, but I doubt anyone knows what actually happens in courts outside the US.

- 8 hours ago

[deleted]

Elfener - 9 hours ago

This post came to mind: https://blog.singleton.io/posts/2022-10-17-otp-on-wrist/

I doubt anyone wants to search a f-91w.

- 10 hours ago

[deleted]