And after skimming the paper, the only thing I could find in response to your point is:
Coercion detection. Since our aim is to prevent users from effectively transmitting the ability to authenticate to others, there remains an attack where an adversary coerces a user to authenticate while they are under adversary control. It is possible to reduce the effectiveness of this technique if the system could detect if the user is under duress. Some behaviors such as timed responses to stimuli may detectably change when the user is under duress. Alternately, we might imagine other modes of detection of duress, including video monitoring, voice stress detection, and skin conductance monitoring [8, 16, 1]. The idea here would be to detect by out-of-band techniques the effects of coercion. Together with in-band detection of altered performance, we may be able to reliably detect coerced users.
Of course, such changes could also be caused by being stressed in general. Even if you could calibrate your model to separate the effects of “being under duress” from “being generally stressed” in a particular subject, I would presume that there’s too much variability in people that you could do this reliably for everyone.
Imagine how people would react to an ATM that gave them their money whenever they wanted it—except when they were in a big hurry and really needed the cash now.
And after skimming the paper, the only thing I could find in response to your point is:
Of course, such changes could also be caused by being stressed in general. Even if you could calibrate your model to separate the effects of “being under duress” from “being generally stressed” in a particular subject, I would presume that there’s too much variability in people that you could do this reliably for everyone.
Imagine how people would react to an ATM that gave them their money whenever they wanted it—except when they were in a big hurry and really needed the cash now.
(Blind Optimism) They’d learn to meditate!
But then, how do we stop people from being coerced in to meditative states… :(
Got the flu? Sorry, no email for you today.
In addition to what Kaj_Sotala said, there is already a much simpler, more reliable way to detect coercion on authentication: distress passwords!