Having a dual password feature on the Librem system is a concept worth considering. Currently, we use one password for login, but I propose the option to have multiple passwords for a single user account. This would allow for an additional level of security in situations where I may need to share my system and password with someone for a specific reason. If an alternative password is entered, it could trigger actions such as deleting specific folders and removing certain software programs.
Right, I discussed about something like that a while back:
My recommendation is unique. Imagine yourself as a journalist who needs to surrender their phone to the authorities, but wishes to safeguard certain private information.
I forgot to address a very important point you made:
That would not work well against digital forensic experts and may not even be legal depending on your jurisdiction.
I humbly submit an old idea I once had to this: Apps you want on the L5 - #229 by JR-Fi. More can be invented. L5 has the capacity be very unique with different methods and features associated with login. It’s another question who’d take on the work…
So we are really talking about an alternative or duress password right?
(In my context, dual password means that two people must be present in order to log in at all because one person provides one password and the other person provides the other password - which would be a fairly ungainly way of doing a phone. )
One challenge is that whatever you implement does kind of have to fit in with the normal Linux security model. I mean sure, you can fork the login screen and related things but that is an ongoing burden.
For example, because Linux simply has no means of verifying an alternative password against the password (shadow password) file, it may make sense to consider this as not a password - and instead just a duress code that triggers certain behaviour. Maybe this can be done with a PAM module??
Another challenge is that with the Librem 5 you don’t actually login. Consistent with other phones, there is no login. Unless this has subsequently been “rectified”?? I personally would like to see a GUI setting that reinstates the login process, which might be a precondition for being able to have more complex login behaviour.
From my own experience, messing around with the login process can be hazardous i.e. you can lock yourself out if a code change goes awry. So the starting point might be to ensure that you know how to use Jumpdrive to fix things up if you break them.
As implicitly suggested by Kyle, this can be partially addressed by putting sensitive material on the uSD card. If intending to cross an international border, remove the uSD card before you leave.
Related to that would be: why even have the content on the phone if it’s going to be a problem? Just access it via the internet if and when you need that content. I understand that there might be limitations with that approach.
It is not clear what your recovery procedure would be if you successfully activate the duress code, delete the content, successfully avoid arousing any suspicion … and then subsequently want that content.
Which idea specifically? One or two of those I think have been superseded e.g. you can now have a password that is not numeric and if sticking with digits then you can randomise the numpad.