Check: LGA6-20-102202
LG Android 6-x STIG:
LGA6-20-102202
(in versions v1 r2 through v1 r1)
Title
LG Android 6.x must disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Disable Smart Lock. (Cat II impact)
Discussion
Many mobile devices now permit a user to unlock the user's device by presenting a fingerprint to an embedded fingerprint reader. Other biometrics and token-based systems are feasible as well. None of these alternatives are currently evaluated in a Common Criteria evaluation of a mobile device against the Security Target based on the Mobile Device Fundamentals Protection Profile. Many have known vulnerabilities. Until there are DoD-approved assurance activities to evaluate the efficacy of these alternatives, they are significant potential vulnerabilities to DoD information and information systems. Disabling them mitigates the risk of their use. SFR ID: FMT_SMF_EXT.1.1 #45
Check Content
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow Smart Lock" setting in the MDM console. 2. Verify the Smart Lock is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Navigate to Settings >> Security (or Fingerprints & security) >> Trust agents. 2. Verify Smart Lock is disabled (grayed out) and cannot be enabled. If on the MDM console Smart Lock for Lock screen authentication is enabled or on the LG Android device a user is able to enable the Smart lock settings on the device, this is a finding.
Fix Text
Configure the mobile operating system to not allow authentication mechanisms other than a Password Authentication Factor where the authentication provides user access to protected data. On the MDM Administration Console, disable the "Allow Smart Lock" setting.
Additional Identifiers
Rule ID: SV-81359r2_rule
Vulnerability ID: V-66869
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |