HP ProBook 4730s HP ProtectTools Security Software 2010 - Page 13

or USB storage is disallowed. This means that software designed to bypass the operating system password protection cannot run if the computer is protected using Pre-Boot Security. Enhanced Pre-Boot Security makes it possible to setup multiple users as well as multifactor authentication policies using a password, fingerprint or HP ProtectTools Java C ard. W hile Pre-Boot security has been available for a number of years, it was never designed for multiuser environments. In addition, the following factors were commonly cited as the primary reasons for not using Pre-Boot security: • Lack of O perating System integration. This meant that users wanting to use pre-boot security would have to authenticate themselves twice. O nce in pre-boot and then again in the operating system • N o secure recovery options. Let's face it, people lose smartcards and forget passwords. Until now, there were two ways to recover, and neither option was very appealing. Some computers would allow password erase via a ccess to the system board, which was not secure. O n other computers, the system board had to be replaced, and this was usually not covered under warranty. HP Enhanced Pre-Boot security addresses both these concerns with O ne-Step Logon and HP SpareKey. Additionally, HP Enhanced Pre-Boot security is centrally manageable with DigitalPersona Pro W orkgroup and DigitalPersona Pro Enterprise, allowing IT managers to remotely recover users even if unconnected. O n e-Step Lo g o n Enhanced Pre-Boot Security is designed to integrate seamlessly into W indows authentication in order to provide users with a seamless logon into the operating system. The user authenticates only once. The logon process uses the provided credentials to authenticate to the Pre-Boot environment, drive encryption and then all the way into the operating system. From a user's standpoint it's the same login process as before, just during Pre-Boot instead of the operating system login. HP Sp a r eKey HP SpareKey is designed allow users to securely log into their operating system account if they forget their password, lose their java card or for some reason cannot use their fingerprint to login. Users are asked to enroll into HP SpareKey when they first log in to the notebook. The enrollment process is easy and requires the user to answer any three questions out of a predetermined list of ten. These questions are designed to collect information that is unique to the user and does not change over time (i.e., mother's maiden name, first school attended, etc.). Answering the three questions completes the enrollment, and the user is now protected. In the case of a lost credential or forgotten password, the user can enter HP SpareKey and answer the previously selected questions. If the answers match, login continues. Upon completion of the login process, the user is asked to change the login credential with an option to accept or decline. Answers to HP SpareKey questions are encrypted and cannot be deciphered by an unauthorized person. The basic process for securing the questions is as follows: • Step 1 - Answers to the three questions are concatenated into a single text string, eliminating all spaces • Step 2 - The single text string is then used to derive an encryption key using a SHA1 hash function. This encryption key is mathematically unique to the three answers given by the user. • Step 3 - The derived encryption key is used to encrypt the login password. The encrypted password is then stored. Rem o te r eco v er y v ia cen tr a l m a n a g em en t On centrally managed systems, HP Enhanced Pre-Boot security supports One Time Password (OTP) access, allowing IT support to recover remote users even if they are not connected. 13