macOS provides multiple methods to protect the data on a Mac: a user account password, encryption via FileVault, and optional low-level security measure that prevents starting up from storage devices other than the selected startup disk. That's known as the firmware password or EFI (Extensible Firmware Interface) lock, which will also block the user's ability to use all startup key combinations, except the NVRAM or PRAM reset combinations. This command (Option + Command + P + R), however, will initiate the machine from macOS Recovery instead.
The Lost Mode feature of Find My Mac will remotely lock the Mac with a firmware password for one-time use. The user's Mac receives the lock instruction from iCloud, restarts, and asks for the system lock PIN code that they set up. After entering the passcode the Mac starts up from the designated startup disk and disables the passcode.
A firmware password is not the same as the administrator password or login password. It's a separate password that appears immediately after boot and must be entered into the system lock screen, which appears as a lock symbol on either a black or a gray background.
Firmware Passcode Security
Low-level passwords are quite secure, which also means there is potentially a headache if the password is forgotten. If you or any of your users can't remember the firmware password or passcode, know that Apple doesn’t allow for any workarounds, but instead recommends scheduling a service appointment with an Apple Store or Apple Authorized Service Provider. The process requires the original receipt or invoice as proof of purchase.
Earlier versions of macOS required manual installation of the firmware but, starting in 2015, Apple began bundling EFI updates with the macOS updates in order to deliver security patches to all users. But as security firm Duo Labs discovered in late 2017, some Macs aren't getting the right firmware, which makes them vulnerable to hackers. They recommend checking the firmware version and updating if needed.
Firmware Passcode Location
On Intel-based Macs shipped before 2011, the firmware password was stored in the PRAM and read by the system EFI firmware before other PRAM variables. That lead to a serious security issue, allowing the firmware to be revealed in a native macOS app and weakening the enhanced security Apple had hoped to introduce with the addition of the firmware password.
In 2011, however, Apple added an important change to the system: the firmware password was moved to a separate programmable controller from Atmel. This component contains lockable flash memory to store the password and requires special programming with identifier numbers for both the Mac's motherboard and the Atmel chip to access and reset it.
Since the controller is an independent component, the only way to bypass it is to manually remove it from the motherboard, but this requires highly precise reflow soldering tools and techniques.
Bypassing the Mac Firmware Password on MacBooks With Upgradeable RAM
This hardware hack works on both Intel- and Motorola-based MacBooks and requires users to remove the RAM and reinstall it. You can check our guide on how to remove the RAM on MacBooks for further reading.
- Shut down your computer and remove the battery.
- Locate your RAM, remove one of the RAM modules and put it aside.
- Put the battery in, and boot your computer while holding the Command + Option + P + R keys to reset the parameter RAM.
- Wait for the chime to sound three times.
- Release the keys and shut down the computer.
- Remove the battery again, and reinsert the RAM module.
- Put the battery back in.
- Boot up your Mac, and you should not see the firmware lock again.
Disable the Password With Firmware Password Utility
- Restart your Mac while holding down the Command + R keys to enter Recovery Mode.
- When the Utilities screen appears, go the Utilities menu bar, and select “Firmware Password Utility”.
- Choose to turn the Firmware Password off.
If none of the above methods worked, there are still two more options to try: either have Apple do it for you, so long as you have the original receipt or invoice, or alternatively use any of the EFI lock bypass hardware kits available for sale on various sites. In using one of these EFI lock hardware bypass methods you’ll almost certainly void your warranty, so it is down to you whether you want to risk the procedure.
Best Mac Optimization Software of 2020
Get the Best Deals on Mac Optimization Software
Stay up to date on the latest tech news and discounts on Mac optimization software with our monthly newsletter.