Check: LGA6-20-102201
LG Android 6-x STIG:
LGA6-20-102201
(in versions v1 r2 through v1 r1)
Title
LG Android 6.x must disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Disable fingerprint. (Cat II impact)
Discussion
Many mobile devices now permit a user to unlock the user's device by presenting a fingerprint to an embedded fingerprint reader. Other biometrics and token-based systems are feasible as well. None of these alternatives are currently evaluated in a Common Criteria evaluation of a mobile device against the Security Target based on the Mobile Device Fundamentals Protection Profile. Many have known vulnerabilities. Until there are DoD-approved assurance activities to evaluate the efficacy of these alternatives, they are significant potential vulnerabilities to DoD information and information systems. Disabling them mitigates the risk of their use. SFR ID: FMT_SMF_EXT.1.1 #45
Check Content
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow fingerprint" setting in the MDM console. 2. Verify the fingerprint for screen lock is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device (this procedure is NA for devices without fingerprint support): 1. Navigate to Settings >> Security (or Fingerprints & security) >> Select Fingerprints. 2. Verify the "Screen Lock" option is disabled (grayed out) and cannot be enabled. If on the MDM console the Fingerprint for screen lock is enabled or on the LG Android device a user is able to enable the fingerprint for screen lock feature, this is a finding.
Fix Text
Configure the mobile operating system to not allow authentication mechanisms other than a Password Authentication Factor where the authentication provides user access to protected data. On the MDM Administration Console, disable the "Allow fingerprint" setting.
Additional Identifiers
Rule ID: SV-81327r2_rule
Vulnerability ID: V-66837
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |