Single Sign-On

BestCrypt Volume Encryption has a Single Sign-On option allowing the user to enter password at boot time and then automatically be logged into his/her Windows session without entering the second password. The option only works for computers with encrypted System/Boot, because only in this case the software asks the user to enter a password at boot time.

To turn on the Single Sign-On option run the Options->Single Sign-On command. The software will ask you to enter password for System/Boot volume first and then to enter your Windows credentials. In Windows 10 it may look like the following:

Hotkey settings

After entering Windows credentials click the OK button and the Single Sign-On option will be activated. If you reboot the computer and enter boot time password, Windows will boot and then automatically logs you into your account.

Note: When using BestCrypt Volume Encryption's Single Sign-On feature on a system with Windows Require users to press CTRL+Alt+Delete sign-in option enabled, the automatic sign-in process will pause and resume only after CTRL+Alt+Delete is pressed. For fully-automatic sign-in experience, please disable the option.

Single Sign-On and several users on the same computer

If there are several users on the computer, BestCrypt Volume Encryption suggests that the Administrator of the computer use the Master Password for his/her own and create additional password for every user who also works on the same computer (read chapter Manage Volume Passwords to get more detail about Master and Additional passwords).

When the Administrator has activated Single Sign-On and enters the Master password at boot time, then he/she automatically gets logged into the administrative account. For another user on the same computer, the Administrator should create additional boot time passwords for the users to use at boot time. If the user enters the additional password, he/she will not be automatically logged in until the user personally activates the Single Sign-On option by entering his/her own Windows credentials.

After that, if at boot time Master password is entered, then the Administrator logs in into the administrative account automatically; if other users enter their specific boot time passwords, they will then log into their Windows accounts automatically as well.

Notes for boot-time password and password for Windows session

Single Sign-On in BestCrypt Volume Encryption could have been developed so that the user was required to enter his/her Windows password at boot time. Instead, BestCrypt Volume Encryption relies upon the entry of its own boot time password (or password for Boot/System volume). It is implemented in such a way because the software cannot assume that Windows password features are safe and unable to be intercepted. During a Windows session, a user enters his/her Windows password a number of times for different purposes (i.e. network share access, requests from other programs, etc.) and there is no guarantee that interception is impossible.

Since BestCrypt Volume Encryption’s password for Boot/System volumes is entered at boot time, the operating system is yet to be initialized. The only time the user ever enters the password for an encrypted Boot/System volume with Windows active is during initial encryption where the process of typing the password is protected by Anti-Keylogger. As such, the BestCrypt Volume Encryption password is both created securely and shielded from vulnerabilities inherent in possible Windows security flaws.

Of course, it is possible to use the same password both to log on to Windows session and at boot time and get so called "usual" Single Sign-On functionality, but, for the aforementioned reasons, it would be not the best decision from the security point of view.

See also: