Samsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including face recognition.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-252413	KNOX-12-210080	SV-252413r815452_rule		Medium

Description
The biometric factor can be used to authenticate the user in order to unlock the mobile device. Unapproved/evaluated biometric mechanisms could allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of unapproved/evaluated biometric authentication mechanisms, this risk is mitigated. SFR ID: FMT_SMF_EXT.1.1 #22, FIA_UAU.5.1

STIG	Date
Samsung Android 12 with Knox 3.x COPE Security Technical Implementation Guide	2022-06-07

Details

Check Text ( C-55869r815450_chk )
Review the configuration to determine if the Samsung Android devices are disabling Face Recognition. This validation procedure is performed on both the management tool and the Samsung Android device. If a KPE premium license is activated, Facial Recognition will be automatically disabled Otherwise, On the management tool, in the device restrictions, verify that "Face" is set to "Disable". On the Samsung Android device: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Verify that "Face" is disabled and cannot be enabled. If on the management tool a KPE premium license is not activated and "Face" is not set to "Disable", or on the Samsung Android device "Face" can be enabled, this is a finding.

Check Text ( C-55869r815450_chk )

Review the configuration to determine if the Samsung Android devices are disabling Face Recognition.

This validation procedure is performed on both the management tool and the Samsung Android device.

If a KPE premium license is activated, Facial Recognition will be automatically disabled

Otherwise, On the management tool, in the device restrictions, verify that "Face" is set to "Disable".

On the Samsung Android device:
1. Open Settings >> Lock screen >> Screen lock type.
2. Enter current password.
3. Verify that "Face" is disabled and cannot be enabled.

If on the management tool a KPE premium license is not activated and "Face" is not set to "Disable", or on the Samsung Android device "Face" can be enabled, this is a finding.

Fix Text (F-55819r815451_fix)
Configure the Samsung Android devices to disable Face Recognition. This policy is included to allow a Samsung Android device to be deployed without an activated KPE premium license. If a license is activated, Facial Recognition will be automatically disabled. In this case, this policy does not need to be configured for STIG compliance, as Face as a biometric will be disabled. On the management tool, in the device restrictions, set "Face" to "Disable".

Fix Text (F-55819r815451_fix)

Configure the Samsung Android devices to disable Face Recognition.

This policy is included to allow a Samsung Android device to be deployed without an activated KPE premium license. If a license is activated, Facial Recognition will be automatically disabled. In this case, this policy does not need to be configured for STIG compliance, as Face as a biometric will be disabled.

On the management tool, in the device restrictions, set "Face" to "Disable".