To be precise, this article describes primarily how to password protect the boot process on your Mac and what the profit and impact thereof will be. And, despite the fact that the technology has been introduced probably more than two decades ago, the majority has not activated it.
The procedure is very simple and described by Apple. Effectively, you will need to enable the Firmware Password Protection, either using the Firmware Password Utility by older Mac computers, or the Startup Security Utility by newer Mac computers with an Apple T2 Security Chip. The respective utility is available in Recovery Mode (cmd+R while turning on your Mac computer)
To visualize the procedure, after entering Recovery Mode, click on Utilities and select the proper one. Here a screenshot of a non-T2 computer:
After that, click on Turn On Firmware Password… and enter a strong password containing letters, numbers and punctuation:
If all was done correctly, you will see the Password protection enabled confirmation:
What you should be aware of, is that the GUI utility enables the firmware password in the so called "Command" mode, prompting for it only when you want to change the boot behavior, like entering Single User Mode, Recovery Mode, Target Disk Mode, etc. (see Startup key combinations with remark on each option affected from the firmware password), which is effectively preventing an attacker from manipulating the boot process.
If the computer is requiring a password entry on each startup / boot, then you need to enable the firmware password in the so called "Full" mode using the firmwarepasswd command with a -setmode option.
PS: Don’t bother writing comments such as "Why the hell should I do that". If you need a healthy level of control over your computer, you will simply have to acknowledge that single user mode is a big backdoor.
PPS: For the stubborn ones: even if you have enabled FileVault – which any reasonable person does – you have probably created an account with user permissions (in a business environment), or even with Parental Controls (at home), who can start the computer and unlock the drive with his password.