V-272586

Discussion

Note: This requirement is Not Applicable for specific biometric authentication factors included in the product's Common Criteria evaluation. The biometric factor can be used to authenticate the user to unlock the mobile device. Unapproved/evaluated biometric mechanisms could allow unauthorized users to have access to DOD sensitive data if compromised. By not permitting the use of unapproved/evaluated biometric authentication mechanisms, this risk is mitigated. SFR ID: FMT_SMF.1.1 #22, FIA_UAU.5.1

Check Content

Note: This requirement is not applicable for specific biometric authentication factors included in the product's Common Criteria evaluation.

Review the configuration to determine if the Samsung Android devices' Work Environment is disabling Face Recognition.

This validation procedure is performed on both the management tool and the Samsung Android device.

Face recognition is not a feature available for unlocking the Work profile unless "One Lock" is used.

Otherwise, on the management tool, in the Work Environment restrictions, verify that "Face" is set to "Disable".

On the Samsung Android device, confirm if the user has "One Lock" enabled (Settings >> Security and privacy >> More security settings >> Work profile security >> Use one lock).

If "One Lock" is enabled:
1. Open Settings >> Lock screen >> Screen lock and biometrics.
2. Enter current password.
3. Press "Face recognition" and register a face.
4. Verify that "Face unlock" is disabled and cannot be enabled.

The disablement of Face cannot be verified while "One Lock" is disabled, as they are not an available feature for Work profiles. To verify, the Admin would need to temporarily enable "One Lock" for the purpose of testing only and follow the above instruction. After testing, the User would have to reset their Work profile password when "One Lock" was turned off again.

If on the management tool "Face" is not set to "Disable", or on the Samsung Android device "Face" can be enabled, this is a finding.