[Solved] Biometric Pre-Boot Support for Microsoft BitLocker

Secure Authentication / Biometric Multi-Factor for Microsoft BitLocker

Biometric authentication is widely used on IT systems as an additional factor of user identification.  The are multiple physiological identifiers available, like fingerprint reader, finger vein reader, hand vein reader, iris scanner, voice recognition, 2D or 3D face recognition and many more.

The usage of physiological identifiers for client user authentication is typically limited by the available bio-metric readers on client machines. Often only inexpensive readers are available on client machines like simple fingerprint readers or 2D webcams.

Biometric Authentication as Windows option only?

Microsoft BitLocker in its Windows delivered featureset does not offer biometric authentication in the BitLocker pre-boot-phase. Microsoft encourage security decision maker to bypass the BitLocker pre-boot-authentication and use Windows Hello with biometric user authentication for Windows logon.

This bypassing approach results in a weak cryptographic protection of the BitLocker encryption and fully shift the security to the Windows authentication phase.

Why? Transparent BitLocker encryption (without Secure Disk for BitLocker) fully automatically loads the BitLocker volume decryption key and starts Windows. That requires an initialized TPM chip and secure boot for protection of the boot process.

So, automated start of an encrypted Windows client system will give attackers a wide range of attack vectors to the running Windows operating system.

Biometric Pre-Boot-Authentication with Microsoft BitLocker

By the use of Secure Disk for BitLocker security aware users and enterprises can use bio-metric authentication as an additional factor to decrypt the Windows client.

As physiological identifiers does not deliver a reproducable cryptographic key, the biometric factor can not used to decrypt the client machine. Therefore the biometric factor typically is used in addition to domain credentials, a PKI-token or smart card certificate or a smartphone stored key.

Secure Disk supports multiple Linux drivers for physiological user authentication. Use our contact form to receive a full list of available options.

Leave a Reply

Your email address will not be published. Required fields are marked *