HP ProtectTools security software 2011 - Technical white paper
Feature
Benefit
Microsoft Windows logon
capability
Enables the use of any supported security technology to logon to
Windows providing a more secure and convenient alternative to
password authentication.
Single sign-on manages user
credentials for websites,
applications and protected
network resources
Users no longer need to remember multiple passwords for protected
websites, applications and network resources.
Single sign-on works with multifactor authentication capabilities to add
additional protection requiring users to re-authenticate when accessing
particularly sensitive data.
Registering new websites, applications or network logon dialogues is
simple, making it easy for users to begin taking advantage of the
added convenience and security.
HP Enhanced Pre-Boot Security
Pre-boot security is a feature that requires users to authenticate themselves upon turning on the
computer. This authentication takes place before the operating system is allowed to load. During
pre-boot, no software is allowed to run, and even booting from external devices such as optical drives
or USB storage is disallowed. This means that software designed to bypass the operating system
password protection cannot run if the computer is protected using pre-boot security. Enhanced
pre-boot security makes it possible to set up multiple users as well as multifactor authentication policies
using a password, fingerprint or smart card. In addition to enabling pre-boot security, a BIOS admin
password must be set to provide enhanced protection.
While pre-boot security has been available for a number of years, it was never designed for multiuser
environments. In addition, the following factors were commonly cited as the primary reasons for not
using pre-boot security:
Lack of operating system integration. This meant that users wanting to use pre-boot security would
have to authenticate themselves twice, once in pre-boot and then again in the operating system.
No secure recovery options. Let’s face it, people lose smartcards and forget passwords. Until now,
there were two ways to recover, and neither option was very appealing. Some computers would
allow password erase via access to the system board, which was not secure. On other computers,
the system board had to be replaced, and this was usually not covered under warranty.
HP Enhanced Pre-Boot Security addresses both these concerns with One-Step Logon and HP
SpareKey. Additionally, HP Enhanced Pre-Boot Security is centrally manageable with
DigitalPersona Pro Workgroup and DigitalPersona Pro Enterprise, allowing IT managers to
remotely recover users even if unconnected.
One-Step Logon
Enhanced Pre-Boot Security is designed to integrate seamlessly into Windows authentication to
provide users with a seamless logon into the operating system. The user authenticates only once. The
logon process uses the provided credentials to authenticate to the pre-boot environment, drive
encryption, and then all the way into the operating system. From a user’s standpoint it’s the same
login process as before, just during pre-boot instead of the operating system login.
HP SpareKey
HP SpareKey is designed allow users to securely log into their operating system account if they forget
their password, lose their smart card, or for some reason cannot use their fingerprint to login. Users
are asked to enroll in HP SpareKey when they first log in to the notebook. The enrollment process is
easy and requires the user to answer any three questions from a predetermined list of ten and up to
three custom questions. These questions are designed to collect information that is unique to the user
and does not change over time (i.e., mother’s maiden name, first school attended, etc.).
Answering the three questions completes the enrollment, and the user is now protected. In the case of
a lost credential or forgotten password, the user can enter HP SpareKey and answer the previously