Pre-boot authentication (PBA) or power-on authentication (POA) serves as an extension of the

BIOS In computing, BIOS (, ; Basic Input/Output System, also known as the System BIOS, ROM BIOS, BIOS ROM or PC BIOS) is a type of firmware used to provide runtime services for operating systems and programs and to perform hardware initialization d ...

UEFI Unified Extensible Firmware Interface (UEFI, as an acronym) is a Specification (technical standard), specification for the firmware Software architecture, architecture of a computing platform. When a computer booting, is powered on, the UEFI ...

or boot firmware and guarantees a secure, tamper-proof environment external to the

operating system An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...

as a trusted authentication layer. The PBA prevents anything being read from the hard disk such as the operating system until the user has confirmed they have the correct password or other credentials including

multi-factor authentication Multi-factor authentication (MFA; two-factor authentication, or 2FA) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more distinct types of evidence ...

Uses of pre-boot authentication

Full disk encryption Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or hardware to encrypt every bit of data tha ...

outside of the operating system level *

Encryption In Cryptography law, cryptography, encryption (more specifically, Code, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the inf ...

of temporary files *

Data at rest Data at rest in information technology means data that is housed physically on computer data storage in any digital form (e.g. cloud storage, file hosting services, databases, data warehouses, spreadsheets, archives, tapes, off-site or cloud backu ...

protection *

of cloud servers or instances

Pre-boot authentication process

A PBA environment serves as an extension of the BIOS, UEFI or boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. The PBA prevents any operating system from loading until the user has confirmed he/she has the correct password to unlock the computer. That trusted layer eliminates the possibility that one of the millions of lines of OS code can compromise the privacy of personal or company data.

Generic boot sequence

in BIOS mode: # Basic Input/Output System (BIOS) #

Master boot record A master boot record (MBR) is a type of boot sector in the first block of disk partitioning, partitioned computer mass storage devices like fixed disks or removable drives intended for use with IBM PC-compatible systems and beyond. The concept ...

(MBR) partition table # Pre-boot authentication (PBA) #

Operating system An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...

(OS) boots in UEFI mode: #UEFI (

Unified Extensible Firmware Interface Unified Extensible Firmware Interface (UEFI, as an acronym) is a Specification (technical standard), specification for the firmware Software architecture, architecture of a computing platform. When a computer booting, is powered on, the UEFI ...

) #

GUID Partition Table The GUID Partition Table (GPT) is a standard for the layout of partition tables of a physical computer storage device, such as a hard disk drive or solid-state drive. It is part of the Unified Extensible Firmware Interface (UEFI) standard. It ha ...

(GPT) # Pre-boot authentication (PBA) #

(OS) boots

Pre-boot authentication technologies

Combinations with full disk encryption

Pre-boot authentication can by performed by an add-on of the operating system like Linux

Initial ramdisk In Linux systems, initrd (''initial ramdisk'') is a scheme for loading a temporary root file system into computer memory, memory, to be used as part of the Linux startup process. initrd and initramfs (from INITial RAM File System) refer to two dif ...

or Microsoft's boot software of the system partition (or boot partition) or by a variety of

full disk encryption Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or hardware to encrypt every bit of data tha ...

(FDE) vendors that can be installed separately to the operating system. Legacy FDE systems tended to rely upon PBA as their primary control. These systems have been replaced by systems using hardware-based dual-factor systems like TPM chips or other proven cryptographic approaches. However, without any form of authentication (e.g. a fully transparent authentication loading hidden keys), encryption provides little protection from advanced attackers as this authentication-less encryption fully rely on the post-boot authentication comes from

Active Directory Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Direct ...

authentication at the GINA step of Windows.

Security concerns

Microsoft released BitLocker Countermeasures defining protection schemes for Windows. For mobile devices that can be stolen and attackers gain permanent physical access (paragraph Attacker with skill and lengthy physical access) Microsoft advise the use of pre-boot authentication and to disable standby power management. Pre-boot authentication can be performed with TPM with PIN protector or any 3rd party FDA vendor. Best security is offered by offloading the cryptographic encryption keys from the protected client and supplying key material externally within the user authentication process. This method eliminates attacks on any built-in authentication method that are weaker than a brute-force attack to the symmetric AES keys used for full disk encryption. Without cryptographic protection of a hardware (TPM) supported secure boot environment, PBA is easily defeated with Evil Maid style of attacks. However, with modern hardware (including TPM or cryptographic multi-factor authentication) most FDE solutions are able to ensure that removal of hardware for brute-force attacks is no longer possible.

Authentication methods

The standard complement of authentication methods exist for pre-boot authentication including: # Something you know (e.g. username/password like Active Directory credentials or TPM pin) # Something you have (e.g.

smart card A smart card (SC), chip card, or integrated circuit card (ICC or IC card), is a card used to control access to a resource. It is typically a plastic credit card-sized card with an Embedded system, embedded integrated circuit (IC) chip. Many smart ...

or other token) #Something you are (e.g. biometric attributes like fingerprint, face recognition, iris scan) #Automatic authentication in trusted zones (e.g. boot key provided to company devices by the enterprise network)

References

{{DEFAULTSORT:Pre-Boot Authentication Computer access control