Border search safe TOTP authenticator app?

10•jakedata•7mo ago

While crossing international borders, a traveler may be legitimately asked to provide access to their devices. Such a person is often not in a position to refuse.

I am searching for a dual-pin TOTP app that looks like it is working whether it is or not. Entering the wrong PIN might cause the app to generate invalid codes while optionally wiping the real config.

Actually attempting to use the invalid code could potentially trigger all kinds of actions on the server that received the bogus login request. Sending an SOS email might be one such action.

I am not sure such a thing exists in either major app store. Thoughts?

Comments

xxpor•7mo ago

Be very careful with your threat model here. If an agent attempts to use the codes and they don't work, and they find out there's a dual pin mechanism, you could end up in more trouble than with whatever they'd have seen in the first place.

mrsilencedogood•7mo ago

Yeah, people love to LARP being Snowden but never actually have anything even theoretically worth being sent to border-jail over protecting.

And, if you do, and you're really asking hacker news for opsec advice, I would suggest you abandon your career as a super-spy or whatever you're doing, because you're doing it very wrong.

jakedata•7mo ago

Not a superspy. Oblig: https://xkcd.com/705

ectospheno•7mo ago

Have a phone just for travel. Different account. Only have things you actually need during travel on it. Turn on a cheap plan when you need it. If they ask for something just say you can't remember and let them keep it.

soraminazuki•7mo ago

This is the nothing to hide argument dressed up with hyperbole, straw men, and insults. You're making fun of people protecting basic human rights.

mrsilencedogood•7mo ago

We literally have collectively (to the value that US democracy approximates collectively) decided to abridge those rights within a certain distance of a border. I want people to understand what they are getting themselves into for the sake of their political protest. I would argue it is better to try to approach this reform differently than simply ending up in a border jail with your holiday ruined.

altairprime•7mo ago

Memorize one TOTP key for a cloud offering; then store the rest in it. 1password, Lastpass, etc. It’s not that much longer than a Windows product key, and I still know one of those.

The secret key is just an RNG output so you could also take it in 4 byte chunks and memorize 16 PRNG inputs that generate each the 4 bytes.

Or you could memorize a passphrase, take a sha2 hash of it, and then memorize a single PRNG input that spits out the bitstring diff between the hash output and the TOTP key. That way you aren’t wholly dependent on memorizing numbers and you can still safely use a more predictable and weak ‘PRNG’ that can amplify the bitstring salt out of an input.

etc.

jasonpeacock•7mo ago

FYI, you're asking about duress codes[1] - it may help your search to use that term.

[1] https://en.wikipedia.org/wiki/Duress_code

esbranson•7mo ago

Lying to US officials is 5 years in prison. Per instance. One assumes other countries have similar laws, but I doubt anyone knows what actually happens in courts outside the US.

slau•7mo ago

Just store the TOTPs you actually care about on a Yubikey. Leave a few “worthless” TOTP in whatever TOTP app you use. Remove the Yubico Authenticator app before crossing the border.

Elfener•7mo ago

This post came to mind: https://blog.singleton.io/posts/2022-10-17-otp-on-wrist/

I doubt anyone wants to search a f-91w.

Nextgrid•7mo ago

You need to re-evaluate your threat model and change your approach. As others have said here, a TOTP that doesn't work would attract more attention that one that does or one that outright doesn't exist, all the way up to escalating the encounter from casual privacy-conscious user to alleged spy.

The best way is to legitimately not have anything on the phone or your online presence that would cause problems, and then just be transparent (honestly, they're not after your nudes or embarrassing texts). A lot of border checks are based on feelings and if you look the part they'll quickly flick through the phone for obvious stuff they're after and will let you go once they don't find it.

If you are actually doing something that would cause issues, then you keep this off the local device and onto a remote one. Use a YubiKey or other dual-use authenticator (that gives you plausible deniability for having it - you can use the same key on benign social media accounts, etc) to access it from a secure device once you're through.

wkat4242•7mo ago

Also, the obvious: don't visit countries with border device searches.

I can understand customs looking for suspicious contraband. We all want drugs confiscated. But data is easier to transport across borders online than on a person's device. If they're looking for hints of terrorism these can be done also after entering the country with the proper warrants.

The only reason these are done is just theater and muscle flexing/bullying. They don't serve a real purpose. And the countries carrying these out are just trying to look tough.

ahazred8ta•7mo ago

Note: there are more comprehensive border-crossing security guides

https://freedom.press/digisec/guides/

jqpabc123•7mo ago

I carry critical sensitive data on an encrypted micro-SD card discreetly attached to my wrist watch band. I've never had anyone even discover it much less try to examine or access it.

A wrist watch doesn't attract much attention being a common fashion accessory that lacks sufficient volume needed to disguise any dangerous substance and isn't commonly known as a data store.

https://www.thingiverse.com/thing:6784665

LLMs are powerful, but enterprises are deterministic by nature

Ask HN: Anyone Using a Mac Studio for Local AI/LLM?

Ask HN: Non AI-obsessed tech forums

Ask HN: Ideas for small ways to make the world a better place

Ask HN: 10 months since the Llama-4 release: what happened to Meta AI?

Ask HN: Who wants to be hired? (February 2026)

Ask HN: Who is hiring? (February 2026)

Ask HN: Non-profit, volunteers run org needs CRM. Is Odoo Community a good sol.?

AI Regex Scientist: A self-improving regex solver

Tell HN: Another round of Zendesk email spam

Ask HN: Is Connecting via SSH Risky?

Ask HN: Has your whole engineering team gone big into AI coding? How's it going?

Ask HN: Why LLM providers sell access instead of consulting services?

Ask HN: What is the most complicated Algorithm you came up with yourself?

Ask HN: How does ChatGPT decide which websites to recommend?

Ask HN: Is it just me or are most businesses insane?

Ask HN: Mem0 stores memories, but doesn't learn user patterns

Ask HN: Is there anyone here who still uses slide rules?

Kernighan on Programming

Ask HN: Any International Job Boards for International Workers?

Ask HN: Anyone Seeing YT ads related to chats on ChatGPT?

Ask HN: Does global decoupling from the USA signal comeback of the desktop app?

We built a serverless GPU inference platform with predictable latency

Ask HN: Does a good "read it later" app exist?

Ask HN: How Did You Validate?

Ask HN: Have you been fired because of AI?

Ask HN: Cheap laptop for Linux without GUI (for writing)

Ask HN: Anyone have a "sovereign" solution for phone calls?

Ask HN: OpenClaw users, what is your token spend?

Ask HN: Has anybody moved their local community off of Facebook groups?