In development. RVNT is pre-release — not yet security-audited. Source code, public builds, and the iOS / App Store release aren’t available yet. See the roadmap →

On-Device Defenses

Duress PIN

Also known as: decoy PIN, duress code, panic PIN

A duress PIN is a second unlock code that opens a believable decoy version of an app instead of your real data. If you are forced to unlock your phone — at a border, by police, or by an attacker — you enter the duress PIN, they see an innocuous account, and your genuine messages and identity stay sealed and hidden.

Strong encryption has a human-shaped hole in it: an adversary can simply compel you to unlock the device. Cryptographers call this rubber-hose cryptanalysis — you do not break the cipher, you break the person. A lock screen and AES-256 are useless the moment someone with authority, or a wrench, demands the passcode.

A duress PIN is the defense for exactly that scenario. The app stores two credentials. Your normal PIN unlocks everything as usual. A separate duress PIN unlocks a decoy vault — a plausible-looking but fake account with innocuous contacts and conversations — while leaving the real encrypted database closed and indistinguishable from empty free space. Crucially, a good implementation makes the decoy convincing: it is not an obvious "locked" state that signals you are hiding something, which could escalate the coercion. It just looks like a quiet, lightly used messenger.

This is distinct from a panic wipe, which destroys data outright. A duress PIN is for situations where deleting everything would itself be suspicious or dangerous; it buys you plausible deniability rather than scorched earth.

How RVNT uses Duress PIN

RVNT ships a real duress decoy on both desktop and iOS. The duress PIN opens a fully-formed fake vault with desktop-parity decoy data, while the genuine SQLCipher database stays closed and the real identity keys remain guarded in the keychain / Secure Enclave — there is no on-screen tell that a second account exists. It complements panic mode, RVNT’s cryptographic self-destruct. Both are documented under PIN authentication and the threat model.

Frequently asked questions

How is a duress PIN different from a panic button?

A duress PIN quietly opens a fake account while hiding your real data — nothing is destroyed, and the adversary ideally never knows there is anything to find. A panic button (or panic wipe) instead destroys your keys and data outright. Duress is for plausible deniability; panic is for last-resort destruction.

Can someone tell I have a hidden account behind a duress PIN?

With a well-designed decoy, no. The real encrypted database is indistinguishable from random free space without the correct key, and the decoy vault is built to look like an ordinary, lightly used account — so there is no visible "hidden vault" indicator to give it away.

Every definition here describes something RVNT actually ships — a post-quantum, end-to-end-encrypted, peer-to-peer messenger with no phone number and no servers.

Get RVNT Browse the glossary