Check: KNOX-14-210080
Samsung Android OS 14 with Knox 3.x COPE STIG:
KNOX-14-210080
(in versions v1 r2 through v1 r1)
Title
Samsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Face recognition. (Cat II impact)
Discussion
The biometric factor can be used to authenticate the user to unlock the mobile device. Unapproved/evaluated biometric mechanisms could allow unauthorized users to have access to DOD sensitive data if compromised. By not permitting the use of unapproved/evaluated biometric authentication mechanisms, this risk is mitigated. SFR ID: FMT_SMF_EXT.1.1 #22, FIA_UAU.5.1
Check Content
Note: This requirement is not applicable for specific biometric authentication factors included in the product's Common Criteria evaluation. Review the configuration to determine if the Samsung Android devices are disabling Face Recognition. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool in the device restrictions, verify "Face recognition" is set to "Disable". On the Samsung Android device: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Verify "Face" is disabled and cannot be enabled. If on the management tool "Face Recognition" is not set to "Disable", or on the Samsung Android device "Face" can be enabled, this is a finding.
Fix Text
Note: This requirement is not applicable for specific biometric authentication factors included in the product's Common Criteria evaluation. Configure the Samsung Android devices to disable Face Recognition. On the management tool, in the device restrictions, set "Face Recognition" to "Disable".
Additional Identifiers
Rule ID: SV-258670r931210_rule
Vulnerability ID: V-258670
Group Title: PP-MDF-333110
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000767 |
The information system implements multifactor authentication for local access to privileged accounts. |
Controls
Number | Title |
---|---|
IA-2 (3) |
Local Access To Privileged Accounts |