That's the way to go I guess. But secure boot has obvious advantages in comparison. As a rule of thumb I do not trust any client-side "authentication" or passphrase input as long as there's no crypto involved. In legacy BIOS this passphrase can be bypassed easily, for instance
Combined with a TPU that wipes keys when secure boot is enabled/disabled gives a pretty secure system, that still allows you to "eject" to an unsigned boot when needed.