I use a duress PIN to protect my data — here’s how it works and why everyone needs one

From two-factor authentication codes to conversations and photos, our phones contain a ton of sensitive data these days. We rely on PINs and biometrics for daily security, but I shudder to think what would happen if that data landed in the wrong hands. And while Android is secure enough against remote attacks and malware these days, what if I’m forced to unlock my phone and hand it over? GrapheneOS, the privacy-focused Android fork, offers a rare solution to this hypothetical: the ability to set a duress PIN or secondary password that wipes your device clean and leaves no trace of your presence.

I’ve had a duress PIN set up on my phone for a while now. While it’s not something I hope to ever need, knowing it’s there gives me peace of mind. And even though I don’t think Google will add a feature as extreme as this one to stock Android, I can definitely see a use-case for a less extreme implementation. Here’s why.

Most devices will lock you out after too many failed unlock attempts. But that doesn’t mean your data is safe — what if you’re forced to give up your password or the attacker guesses your PIN? This is where GrapheneOS’ duress PIN flips the dynamic: it lets you set an alternate PIN or password that instantly triggers a silent and irreversible factory reset in the background.

The duress PIN doesn’t give you a second chance and will trigger anywhere you enter it: on the lockscreen, while enabling Developer options, or even while unlocking an app that requests authentication. And unlike a regular factory reset, a duress PIN will erase all encryption keys and your phone’s eSIM partition as well. This makes it impossible for an attacker to access my data just by having physical possession of your device and knowledge of the PIN.

I think the real strength of GrapheneOS’ duress PIN lies in its subtlety. There are no confirmation prompts, no announcements, and no obvious signs that the wipe was intentional on your part. Of course, GrapheneOS is no longer a fringe operating system these days — it has even attracted the ire of law enforcement in some jurisdictions. In other words, a professional attacker might be aware of the existence of a duress PIN. But if you can enter it quickly enough, it achieves its intended effect: no data can be lifted from your phone.

The idea of a duress PIN sounds like something out of a spy movie, but is it really necessary? The feature is admittedly only useful in fringe scenarios where I would know about an imminent risk to my phone’s data.

Take mugging, for example. If an attacker forced you to unlock your phone before they ran off with it, you could enter your duress PIN instead. Providing a duress PIN could mean the difference between losing a $1,000 device and having your bank accounts drained or your identity stolen.

Even if you aren’t forced to divulge the PIN yourself, I read an interesting suggestion on the GrapheneOS forum: what if you set an extremely simple or obvious sequence as your duress PIN? An amateur attacker is bound to try PINs like 1234 or 0000 when they get a hold of your device — and that will be enough to wipe the system for good, without any action on your part. You could even tape a note with the duress PIN to the back of your device and encourage them to enter it.

Then there’s the elephant in the room — using a duress PIN if you expect to get into trouble with law enforcement. This is a murky topic given that erasing your data could be counted as obstruction or even destruction of evidence. So you could get into more trouble than necessary, if you had nothing to hide. I think the latter is a bad faith argument as it ignores the potential and tangible threat of overreach. Still, I don’t know if I would use my duress PIN if law enforcement ever asked me to unlock my phone. But for government dissidents and activists, I’m sure the feature can be invaluable if they know someone unfriendly is knocking on their door.

One of Android’s biggest advantages is its robust support for multiple users. I find this feature especially useful on tablets, since they’re typically shared devices. Each user in a household can log into their own profile, with their own set of apps and data. But getting to that profile currently requires multiple taps on most Android devices. Even on the Pixel Tablet, you need to select a specific profile before entering the unlock PIN for that user. But what if that wasn’t the case?

GrapheneOS can recognize when you enter a duress PIN to trigger a wipe, so why stop there? Imagine if Android could log you into a different user profile based on which PIN you’ve entered. In a situation where you’re forced to unlock your phone, you could enter the decoy PIN. This would open a seemingly functional but heavily sandboxed version of your phone, hiding your banking apps, private messages, or work accounts. I think it straddles the line between handing over everything and Graphene’s nuclear option of wiping the device entirely.

Of course, you will need more than this level of plausible deniability if you get into any serious trouble. But for airport checkpoints where you might be asked to give up access to your device, a decoy PIN might be enough to avoid scrutiny. Or if you need a stowaway profile for files and data you don’t necessarily want in your primary profile, a secondary PIN could bring you there.

The GrapheneOS community’s stance on decoy PINs is that redirecting to a secondary profile is not as secure as triggering a full device reset, which is the current duress PIN implementation. For a project that takes security seriously, simply logging into a different profile is only a half-measure.

Will Google ever adopt a feature like GrapheneOS’ duress PIN? It’s unlikely, but on the plus side, Android’s built-in Lockdown mode is a step in the right direction. In the US, courts have ruled that you can be compelled to provide a fingerprint, but not a password. By disabling biometrics, Android’s Lockdown mode provides some protection against legal coercion. If that’s not enough for you, GrapheneOS might just be the answer.