Problem solve Get help with specific problems with your technologies, process and projects.

Pre-boot biometric user authentication tools and strategies

Thinking about implementing biometric fingerprint readers for authentication? Learn what to look for in user authentication tools and how to be sure they're compatible with the OS.

I'd like to require that my organization's users authenticate with a fingerprint before they can boot up their machines. What are some good pre-boot user authentication tools or strategies that would be compatible with the Windows XP Professional operating system?
There are two parts to your question. The first is about using a type of biometrics device – in this case, a fingerprint reader – for authentication. And the second part is about pre-boot authentication. Let's look at each separately, and then tie them together.

A fingerprint reader is a type of biometrics device. A biometrics device authenticates based on a physical characteristic of the user. It's one of the three factors of authentication: something you know, something you have and something you are. Something you know would be a piece of knowledge the user memorizes, like a password. Something you have would be something the user carries, like a smart card or a one-time password (OTP) token. Something you are is a physical characteristic, like someone's fingerprint, voice or facial features.

Biometrics are considered the strongest of the authentication factors because they're the most difficult to copy and spoof, unlike user IDs and passwords, which can be easily guessed or even outright stolen by being sniffed over the Web. The other promise of biometrics is ease of use. Users don't have to remember passwords; they're always carrying their authentication devices with them. They can't leave their fingerprint at home, or forget where they put it.

Until recently, however, biometrics devices were also the most expensive and difficult forms of authentication to deploy. Software controls, like user IDs and passwords, don't require extra hardware or installation like a biometrics device. Because of these hardware requirements, biometrics remains the most difficult of the three authentication factors to deploy, and should only be considered for protecting high-risk systems and applications. Do a thorough risk analysis of what is to be protected before considering biometrics.

Still, fingerprint readers, which are the oldest and most common biometrics devices, are now lightweight, often the size of an OTP token. Today, many laptops and desktops can be ordered with built-in fingerprint readers.

As for pre-boot authentication, there are products like SafeBoot, which was acquired by McAfee Inc. last year. SafeBoot protects computers by encrypting their hard drives. It can be used to prevent malicious access to data on a stolen laptop, for example. SafeBoot works by requiring users to authenticate at the hardware level before the operating system boots up. This prevents a malicious user from bypassing the operating system password with a boot CD.

If the idea is to require biometrics for pre-boot authentication, then SafeBoot is one product that can do the trick. Although by default it uses a standard user ID and password, it can also work with the other authentication factors previously mentioned. Other hard-drive encryption products with similar capabilities are PGP Corp.'s Whole Disk Encryption, SecurStar GmbH's Drive Pack and Utimaco Safeware MG's SafeGuard.

More information:

  • Is it possible to combine biometrics and electrophysiological signals for authentication? Read more.
  • Learn more about biometrics and how it differs from biostatistics.

This was last published in August 2008

Dig Deeper on Biometric technology