LG Android 6.x must disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Disable fingerprint.

From LG Android 6.x Security Technical Implementation Guide

Part of PP-MDF-201022

Associated with: CCI-000381

SV-81327r2_rule LG Android 6.x must disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Disable fingerprint.

Vulnerability discussion

Many mobile devices now permit a user to unlock the user's device by presenting a fingerprint to an embedded fingerprint reader. Other biometrics and token-based systems are feasible as well. None of these alternatives are currently evaluated in a Common Criteria evaluation of a mobile device against the Security Target based on the Mobile Device Fundamentals Protection Profile. Many have known vulnerabilities. Until there are DoD-approved assurance activities to evaluate the efficacy of these alternatives, they are significant potential vulnerabilities to DoD information and information systems. Disabling them mitigates the risk of their use.SFR ID: FMT_SMF_EXT.1.1 #45

Check content

This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow fingerprint" setting in the MDM console. 2. Verify the fingerprint for screen lock is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device (this procedure is NA for devices without fingerprint support): 1. Navigate to Settings >> Security (or Fingerprints & security) >> Select Fingerprints. 2. Verify the "Screen Lock" option is disabled (grayed out) and cannot be enabled. If on the MDM console the Fingerprint for screen lock is enabled or on the LG Android device a user is able to enable the fingerprint for screen lock feature, this is a finding.

Fix text

Configure the mobile operating system to not allow authentication mechanisms other than a Password Authentication Factor where the authentication provides user access to protected data. On the MDM Administration Console, disable the "Allow fingerprint" setting.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer