According to Wikipedia, a duress code is a covert signal used by an individual that is under duress to indicate their state. Duress code is used widely across the world; in many different facets ranging from checkpoint, burglar alarm system, to computer security.
Duress Code in Action
My first encounter of duress code is as an antipode of false positive in a burglar alarm system; a code used to inform the security officer that you are under duress (e.g. held at gunpoint to indicate that the alarm is false positive). It is an interesting and useful innovation in the security field. It doesn’t take much longer for cryptographer to pick up the idea.
Duress Code Improvement
Personally I think duress code might not be as usable as we thought it would be especially when the user come to the state of duress. What’s the chance that people will forget the code in that state of mind? What’s the chance that people will remember the code they rarely use when most of the time they cannot recall the password of applications that they seldom use?
My idea is not exactly an improvement to the system. More like “better usability suggestion.” Adopted from form validation best practices – deny every thing, accepts what is expected. In other word, it means every thing is a duress code. You just need to remember your false positive code (remembering one code instead of two).
You may come to argue that you may forget your false positive code and your security agent will come running to your house when it’s just a false alarm. You just have to ask yourselves two questions:
What’s the chance of you unable to recall your “password” in a state of duress compared to when you are not?
Do you prefer your security agent to “drop-by” when it’s a false alarm? Or not caring about you because you could not remember your duress code when you are held at gunpoint?