The lack of hardware based multi-factor authentication for Microsoft BitLocker like smart card, token or smartphone apps is an ongoing discussion with security experts. As Microsoft consultants preach to waive BitLocker authentication completely and rely on Secure Boot and Windows domain authentication only, this security consideration is a no-go for compliance decision maker.
Why? Because once Windows is started automatically without encryption authentication the BitLocker encryption key is already loaded into the computers memory. An attacker can steal the BitLocker encryption key from the memory, or use network services or external ports to break in to the running Windows client.
Enable the multi-factor authentication 98% of all users prefer!
In the latest version of Secure Disk for BitLocker our new Smartphone app for Apple iOS and Android can be initialized once and used for two-factor authentication and user self-service recovery.
Therefore, the smartphone will be connected by USB cable to Bluetooth during the pre-boot-phase. The client encryption key is securly send to the linked Windows client on user prompt.
In case of smart card or PKI-token authentication the Secure Disk for BitLocker smartphone app can be used as self-service recovery option in case of a forgotten or defective smart card. This user self-service option is fully independent from centralized IT helpdesk and the complex Microsoft BitLocker recovery keys stored in Active Directory.
If enterprises consider multi-factor authentication for client encryption, our smartphone authentication app is definitly the most user convenient way for strong authentication!