Samsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Face recognition.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-260445	KNOX-14-710080	SV-260445r953770_rule		Medium

Description
The biometric factor can be used to authenticate the user to unlock the mobile device. Unapproved/evaluated biometric mechanisms could allow unauthorized users to have access to DOD sensitive data if compromised. By not permitting the use of unapproved/evaluated biometric authentication mechanisms, this risk is mitigated. SFR ID: FMT_SMF_EXT.1.1 #22, FIA_UAU.5.1

STIG	Date
Samsung Android 14 MDFPP 3.3 BYOAD Security Technical Implementation Guide	2024-02-21

Details

Check Text ( C-64175r953770_chk )
Note: This requirement is not applicable for specific biometric authentication factors included in the product's Common Criteria evaluation. Review the configuration to determine if the Samsung Android devices' Work Environment is disabling Face Recognition. This validation procedure is performed on both the management tool and the Samsung Android device. Face recognition is not a feature available for unlocking the Work profile unless "One Lock" is used. Otherwise, on the management tool, in the Work Environment restrictions, verify that "Face" is set to "Disable". On the Samsung Android device, confirm if the user has "One Lock" enabled (Settings >> Security and privacy >> More security settings >> Work profile security >> Use one lock). If "One Lock" is enabled: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Verify that "Face" is disabled and cannot be enabled. The disablement of Face cannot be verified while "One Lock" is disabled, as they are not an available feature for Work profiles. To verify, the Admin would need to temporarily enable "One Lock" for the purpose of testing only and follow the above instruction. After testing, the User would have to reset their Work profile password when "One Lock" was turned off again. If on the management tool "Face" is not set to "Disable", or on the Samsung Android device "Face" can be enabled, this is a finding.

Check Text ( C-64175r953770_chk )

Note: This requirement is not applicable for specific biometric authentication factors included in the product's Common Criteria evaluation.

Review the configuration to determine if the Samsung Android devices' Work Environment is disabling Face Recognition.

This validation procedure is performed on both the management tool and the Samsung Android device.

Face recognition is not a feature available for unlocking the Work profile unless "One Lock" is used.

Otherwise, on the management tool, in the Work Environment restrictions, verify that "Face" is set to "Disable".

On the Samsung Android device, confirm if the user has "One Lock" enabled (Settings >> Security and privacy >> More security settings >> Work profile security >> Use one lock).

If "One Lock" is enabled:
1. Open Settings >> Lock screen >> Screen lock type.
2. Enter current password.
3. Verify that "Face" is disabled and cannot be enabled.

The disablement of Face cannot be verified while "One Lock" is disabled, as they are not an available feature for Work profiles. To verify, the Admin would need to temporarily enable "One Lock" for the purpose of testing only and follow the above instruction. After testing, the User would have to reset their Work profile password when "One Lock" was turned off again.

If on the management tool "Face" is not set to "Disable", or on the Samsung Android device "Face" can be enabled, this is a finding.

Fix Text (F-64082r950913_fix)
Note: This requirement is not applicable for specific biometric authentication factors included in the product's Common Criteria evaluation. Configure the Samsung Android devices to disable Face Recognition. On the management tool, in the device restrictions, set "Face Recognition" to "Disable".