Hi Jon -
Someone could enable terminal-only before going into risky situations such as where the device could be stolen, or they could leave it in terminal mode all the time as their default login option. Everyone has their own preferred point on the security/convenience spectrum, so the ideal case is that users could configure their primary account as they choose, and then toggle in and out of terminal mode when needed.
For corporate clients, add the ability for Admin to lock down settings per company policy, to prevent users accidentally or deliberately doing things that increase risk or screw up the device configuration.
For duress accounts: the risk of accidentally wiping the device could be limited as follows, for all accounts on the device:
Turn on device; opens with gray screen with “userID” & “password” and keyboard. Enter credentials. Screen changes to color, image, or pattern associated with those credentials, message appears: “click Continue or Go Back” This, regardless of whether any duress accounts exist or not, to prevent hostiles noticing an extra prompt as a sign of duress account login. Now you’ve got one more chance to choose whether to abort or nuke it.
Understood that people tend to use muscle memory to click through screens, but we have to assume a minimum threshold of acceptable mindfulness for doing anything more than sleeping. There will be sad stories, but fewer and less-sad than if people are susceptible to getting hijacked.
Now while we’re at it, one of the configurable options in the duress accounts should be a “call for help” option that signals a server to trigger any or all of the following:
-
Call one or more telephone numbers and play a message the user has recorded in advance, e.g. “This is an emergency. This is Alice calling. I’m in a duress situation. Please follow company procedures to locate me.” Message repeats for 2 minutes (in case it reaches voicemail) and then hangs up. (The dialing protocol would need to allow for pauses such as if it reaches a voicemail menu and has to dial an extension.)
-
Send a pre-written text message to one or more designated destinations.
-
Send a pre-written email message to one or more designated destinations.
The user’s main account would have options for testing the “call for help” functions, so they could be set up in advance and tested ahead of need.
The signal to the server would be the minimum quantity of bytes needed to authenticate and trigger the action, which should be possible to accomplish within a ping payload. The server would ack by returning a ping to the device, with a payload that authenticated the server: this would cause the device to stop sending the “call for help” signal.
And of course, similar but non-duress routines could be used in the non-duress account modes, to prevent hostiles recognizing duress mode by the presence of the help transmissions.
Wouldn’t it be nice to live in a world where all of this isn’t necessary? Between now and then, the thing to do is make it so regular, routine, and easy, for people to protect themselves, as to deter at least some types of attack and make some others substantially more difficult.