Pre-boot authentication

From Wikipedia, the free encyclopedia
  (Redirected from Pre-Boot Authentication)
Jump to: navigation, search

Pre-Boot Authentication (PBA) or Power-On Authentication (POA)[1] serves as an extension of the BIOS or boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. The PBA prevents anything being read from the hard disk such as the operating system until the user has confirmed they have the correct password or other credentials.[2]

Benefits of Pre-Boot Authentication[edit]

How Pre-Boot Authentication Works[edit]

Generic Boot Sequence[edit]

  1. Basic Input/Output System (BIOS)
  2. Master boot record (MBR) partition table
  3. Pre-boot authentication (PBA)
  4. Operating system (OS) boots

A PBA environment serves as an extension of the BIOS or boot firmware[citation needed] and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. The PBA prevents[citation needed] Windows or any other operating system from loading until the user has confirmed he/she has the correct password to unlock the computer. That trusted layer eliminates the possibility[citation needed] that one of the millions of lines of OS code can compromise the privacy of personal or company data[citation needed].

Pre-Boot Authentication Technologies[edit]

Combinations with Full Disk Encryption[edit]

Pre-Boot Authentication is generally provided[citation needed] by a variety of full disk encryption vendors, but can be installed separately[citation needed]. Legacy FDE systems tended to rely upon PBA as their primary control. These systems have been replaced with hardware based dual factor systems like TPM chips. However, without some form of authentication, encryption provides little protection.[citation needed] Generally this authentication comes from Active Directory authentication at the GINA step of Windows.

PBA is easily defeated with Evil Maid style of attacks. However, with modern hardware (including TPM) most FDE solutions are able to ensure removal of hardware for brute force attacks are no longer possible.

PBA does result in a near complete loss of manageability.[citation needed]

Authentication Methods[edit]

The standard complement of authentication methods exist for Pre-Boot Authentication including:

  1. Something you know (i.e. username / password)
  2. Something you have (i.e. smart card or other token)

References[edit]

  1. ^ "Sophos brings enterprise-level encryption to the Mac". Network World. August 2, 2010. Retrieved 2010-08-03. 
  2. ^ a b "Pre-Boot Authentication". SECUDE. February 21, 2008. Archived from the original on 2012-03-04. Retrieved 2008-02-22.