HP ProBook 4325s - Notebook PC Frequently Asked Questions Manual page 13

or USB storage is disallowed. This means that software designed to bypass the operating system
password protection cannot run if the computer is protected using Pre-Boot Security. Enhanced
Pre-Boot Security makes it possible to setup multiple users as well as multifactor authentication policies
using a password, fingerprint or HP ProtectTools Java C ard.
W hile Pre-Boot security has been available for a number of years, it was never designed for multiuser
environments. In addition, the following factors were commonly cited as the primary reasons for not
using Pre-Boot security:
• Lack of O perating System integration. This meant that users wanting to use pre-boot security would
have to authenticate themselves twice. O nce in pre-boot and then again in the operating system
• N o secure recovery options. Let's face it, people lose smartcards and forget passwords. Until now,
there were two ways to recover, and neither option was very appealing. Some computers would
allow password erase via a ccess to the system board, which was not secure. O n other computers,
the system board had to be replaced, and this was usually not covered under warranty.
HP Enhanced Pre-Boot security addresses both these concerns with O ne-Step Logon and HP
SpareKey. Additionally, HP Enhanced Pre-Boot security is centrally manageable with
DigitalPersona Pro W orkgroup and DigitalPersona Pro Enterprise, allowing IT managers to
remotely recover users even if unconnected.
O n e-Step Lo g o n
Enhanced Pre-Boot Security is designed to integrate seamlessly into W indows authentication in order
to provide users with a seamless logon into the operating system. The user authenticates only once.
The logon process uses the provided credentials to authenticate to the Pre-Boot environment, drive
encryption and then all the way into the operating system. From a user's standpoint it's the same
login process as before, just during Pre-Boot instead of the operating system login.
HP Sp a r eKey
HP SpareKey is designed allow users to securely log into their operating system account if they forget
their password, lose their java card or for some reason cannot use their fingerprint to login. Users are
asked to enroll into HP SpareKey when they first log in to the notebook. The enrollment process is
easy and requires the user to answer any three questions out of a predetermined list of ten. These
questions are designed to collect information that is unique to the user and does not change over time
(i.e., mother's maiden name, first school attended, etc.).
Answering the three questions completes the enrollment, and the user is now protected. In the case of
a lost credential or forgotten password, the user can enter HP SpareKey and answer the previously
selected questions. If the answers match, login continues. Upon completion of the login process, the
user is asked to change the login credential with an option to accept or decline.
Answers to HP SpareKey questions are encrypted and cannot be deciphered by an unauthorized
person. The basic process for securing the questions is as follows:
• Step 1 - Answers to the three questions are concatenated into a single text string, eliminating all
spaces
• Step 2 - The single text string is then used to derive an encryption key using a SHA1 hash function.
This encryption key is mathematically unique to the three answers given by the user.
• Step 3 - The derived encryption key is used to encrypt the login password. The encrypted password
is then stored.
Rem o te r eco v er y v ia cen tr a l m a n a g em en t
On centrally managed systems, HP Enhanced Pre-Boot security supports One Time Password (OTP)
access, allowing IT support to recover remote users even if they are not connected.
1 3