Pre-boot authentication (PBA) — also known as power-on authentication — is a means of protecting data by performing authentication after a device is powered up but before the operating system boots; PBA also refers to the underlying technology.
PBA is used most often with full disk encryption (FDE), where user authentication is required to boot the system and restore data. This protects the device from decryption by third parties that have gained physical access to it.
PBA implementation
Pre-boot authentication operates at the level of BIOS/UEFI — the firmware that runs before the operating system boots and prepares the computer for bootup. PBA can be part of a device’s boot functionality, or an FDE solution. There is also specialized PBA software that can leverage advanced authentication capabilities with an FDE solution in which this functionality is limited. In particular, there exist various PBA solutions that work with BitLocker (the native FDE tool in Windows).
Different software supports different authentication methods. The most common authentication methods include:
- Something the user knows (such as a password or PIN).
- Something in the user’s possession (a USB token, smart card, or other hardware-based user ID tool).
- Something that uniquely identifies the user (biometric data such as a face or fingerprint).
In addition, PBA can be two-factor or multi-factor, consisting of multiple steps and combining identifiers from different sources.
PBA with Trusted Platform Module
If the computer supports a secure Trusted Platform Module chip, FDE with PBA can be configured using the TPM-based key — only without user authentication. This configuration protects data in scenarios where a disk is removed from a user device and inserted into an attacker device, or, for example, where attackers modify the boot components of the system; it does not protect against unauthorized attempts to access a device without compromising its integrity.
PBA-free disk decryption in a trusted network
Some FDE solutions provide a simplified boot option without PBA for connecting devices to a trusted network such as a wired network in the office of the organization that owns the devices.