Fido (Fast Identity Online) Authentication; Certificate Based Bios Management - Lenovo ThinkPad S2 Gen 8 User Manual

When you start the computer again, you can use your fingerprints to log in to the computer without entering
your Windows password, power-on password, or NVMe password. To change settings, press F1 to enter the
UEFI BIOS menu, and then select Security ➙ Fingerprint.
Attention: If you always use your fingerprint to log in to the computer, you might forget your passwords.
Write down your passwords, and keep them in a safe place.

FIDO (Fast Identity Online) authentication

Your computer supports FIDO (Fast Identity Online) authentication feature. This feature works as an
alternative to password-based authentication to achieve passwordless authentication. This feature only
works when a power-on password is set in UEFI BIOS and the FIDO2 USB device is registered in
ThinkShield™ Passwordless Power-On Device Manager. With this feature, you can input the power-on
password or use the registered FIDO2 USB device to power on your computer.
Register your FIDO2 USB device in ThinkShield Passwordless Power-On Device Manager
1. Turn on the computer.
2. Press F12 during the power-on process.
3. If you set a power-on password, you are prompted to enter the correct password.
4. Select App Menu ➙ ThinkShield Passwordless Power-On Device Manager and press Enter.
5. Insert the FIDO2 USB device to register the device by following steps:
a. Select the available FIDO2 USB device that you want to register in the Discovered Devices field.
b. Click Yes in the displayed window to confirm the device you selected.
c. If you set a power-on password, you are prompted to enter the correct password.
d. The User operation request window is displayed. You are prompted to press the button on the
connected FIDO2 USB device, and then follow the on-screen instruction to close the window.
e. Press Esc to exit and restart your computer.
Notes:
• If you want to unregister your devices, click the available FIDO2 USB device that you want to unregister in
the My Device field and enter the correct power-on password for verification.
• If you use more than one FIDO2 USB device with a common identifier for registration, only one device is
available.
Log in to the System with Passwordless Power-On Authentication
1. Restart the computer.
2. ThinkShield Passwordless Power-On Authentication window is displayed.
3. Insert your registered FIDO2 USB device for detection.
4. Then follow the on-screen instruction to press the button on your FIDO2 USB device for verification.
5. After your device is verified, the power-on process continues.
Note: You should insert the FIDO2 USB device or enter the power-on password within 60 seconds.
Otherwise, your computer will shut down automatically.

Certificate based BIOS management

Certificate-based BIOS authentication (also called the password-less management mode) provides more
secure UEFI BIOS management with password-free solution. It is used to replace the supervisor password /
system management password for authentication if you have set one.
.
Chapter 4 Secure your computer and information
33