Pre-boot authentication is a process by which a computer requires the input of an identifier before allowing the operating system (OS) on the computer to boot. This means that if someone wishes to access data on a computer, then he or she has to be able to provide the appropriate authentication information. Pre-boot authentication is more effective than OS authentication because it is not susceptible to many of the work-around methods used to get around OS authentication. When coupled with disk encryption, this type of authentication can provide a great deal of data protection on a system.
There are a number of methods that can be used to create a pre-boot authentication prompt for a computer system, but they typically function in much the same manner. The basic process of bootstrapping or “booting” a computer begins when someone turns on the power for the computer. When this happens, the basic input/output system (BIOS) begin starting the computer. The BIOS is typically located on the motherboard itself, rather than on a hard drive, and boots up regardless of the OS.
Once the BIOS completes this process, it boots the OS, which can then take over control of the system for the rest of the time the computer is on. A pre-boot authentication process can be created and occurs between the BIOS being started and the OS booting. This means that if this authentication fails, the OS is not started and the computer does not continue booting up.
OS authentication methods are quite easy to use and popular as a form of data protection, but they are also quite weak. Many OS versions include a recovery disc to get around a required password at OS launch. Programs can also be used to recover the password saved on the OS, allowing someone to find it and use it to bypass this protection. Pre-boot authentication, however, cannot be circumvented in these ways.
When pre-boot authentication is used with disk encryption, the data protection becomes even more pronounced. This is because many programs use the authentication to determine the encryption key that is used. The data on a disk drive, therefore, may be inaccessible unless the proper authentication identifier is used. Such protection is still not perfect, but does provide sufficient protection for many computer users.
The different types of identifiers that can be used in pre-boot authentication vary quite a bit, but often include a simple username and password. Some systems utilize a physical device that has to be connected to the computer for authorization, while others use biometric scanners that require a fingerprint scan to launch the OS. Other systems use other components as the identifier, making particular components in the computer required for it to boot, while other pre-boot authentication systems request permission from a remote network, which it must be connected to, as an identifier.