Windows 10 Mobile must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor (e.g., using a fingerprint), unless mechanism is DoD-approved.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-70111	MSWM-10-202801	SV-84733r1_rule		Medium

Description
The fingerprint reader or iris scan (supported by some Windows 10 Mobile devices) can be used to authenticate the user in order to unlock the mobile device. At this time, no biometric reader has been approved for DoD use on mobile devices. This technology would allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements. SFR ID: FMT_SMF_EXT.1.1 #45

Description

The fingerprint reader or iris scan (supported by some Windows 10 Mobile devices) can be used to authenticate the user in order to unlock the mobile device. At this time, no biometric reader has been approved for DoD use on mobile devices. This technology would allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements. SFR ID: FMT_SMF_EXT.1.1 #45

STIG	Date
Microsoft Windows 10 Mobile Security Technical Implementation Guide	2017-09-11

Details

Check Text ( C-70587r1_chk )
Review Windows 10 Mobile documentation and inspect the configuration on Windows 10 Mobile to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor (e.g., using a fingerprint), unless mechanism is DoD-approved. This validation procedure is performed only on the MDM administration console. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for restricting Biometrics authentication "Biometrics/UseBiometrics". 3. Verify that setting restriction is turned on (feature disabled). If the MDM does not have a compliance policy that disables "Biometrics/UseBiometrics", this is a finding.

Check Text ( C-70587r1_chk )

Review Windows 10 Mobile documentation and inspect the configuration on Windows 10 Mobile to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor (e.g., using a fingerprint), unless mechanism is DoD-approved.

This validation procedure is performed only on the MDM administration console.

On the MDM administration console:

1. Ask the MDM administrator to verify the phone compliance policy.
2. Find the setting for restricting Biometrics authentication "Biometrics/UseBiometrics".
3. Verify that setting restriction is turned on (feature disabled).

If the MDM does not have a compliance policy that disables "Biometrics/UseBiometrics", this is a finding.

Fix Text (F-76347r1_fix)
Configure the MDM system to require the "Biometrics/UseBiometrics" policy to be disabled for Windows 10 Mobile devices. Deploy the MDM policy on managed devices.