UCF STIG Viewer Logo

LG Android 6.x must disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Disable fingerprint.


Overview

Finding ID Version Rule ID IA Controls Severity
V-66837 LGA6-20-102201 SV-81327r2_rule Medium
Description
Many mobile devices now permit a user to unlock the user's device by presenting a fingerprint to an embedded fingerprint reader. Other biometrics and token-based systems are feasible as well. None of these alternatives are currently evaluated in a Common Criteria evaluation of a mobile device against the Security Target based on the Mobile Device Fundamentals Protection Profile. Many have known vulnerabilities. Until there are DoD-approved assurance activities to evaluate the efficacy of these alternatives, they are significant potential vulnerabilities to DoD information and information systems. Disabling them mitigates the risk of their use. SFR ID: FMT_SMF_EXT.1.1 #45
STIG Date
LG Android 6.x Security Technical Implementation Guide 2019-02-21

Details

Check Text ( C-67487r2_chk )
This validation procedure is performed on both the MDM Administration Console and the LG Android device.

On the MDM console, do the following:

1. Ask the MDM administrator to display the "Allow fingerprint" setting in the MDM console.
2. Verify the fingerprint for screen lock is disabled.
3. Verify the policy has been assigned to all groups.

On the LG Android device (this procedure is NA for devices without fingerprint support):

1. Navigate to Settings >> Security (or Fingerprints & security) >> Select Fingerprints.
2. Verify the "Screen Lock" option is disabled (grayed out) and cannot be enabled.

If on the MDM console the Fingerprint for screen lock is enabled or on the LG Android device a user is able to enable the fingerprint for screen lock feature, this is a finding.
Fix Text (F-72937r2_fix)
Configure the mobile operating system to not allow authentication mechanisms other than a Password Authentication Factor where the authentication provides user access to protected data.

On the MDM Administration Console, disable the "Allow fingerprint" setting.