UCF STIG Viewer Logo

Samsung Android must be configured to disable Face Recognition. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the products Common Criteria evaluation.


Finding ID Version Rule ID IA Controls Severity
V-93885 KNOX-09-000505 SV-103971r1_rule Medium
The Face Recognition feature allows a user's face to be registered and used to unlock the device. This technology would allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements. SFR ID: FMT_SMF_EXT.1.1 #23, FIA_UAU.5.1
Samsung Android OS 9 with Knox 3.x COPE Use Case KPE(Legacy) Deployment Security Technical Implementation Guide 2019-10-01


Check Text ( C-93203r1_chk )
Review device configuration settings to confirm that Face Recognition is disabled.

This procedure is performed on both the MDM Administration console and the Samsung Android device.

On the MDM console, for the device, in the "Knox password constraints" group, verify that "disable face" is selected.

On the Samsung Android device, do the following:
1. Open Settings.
2. Tap "Lock screen".
3. Tap "Screen lock type".
4. Enter current password.
5. Verify that "Face" is disabled and cannot be enabled.

If on the MDM console "disable face" is not selected, or on the Samsung Android device "Face" can be enabled, this is a finding.
Fix Text (F-100133r1_fix)
Configure Samsung Android to disable Face Recognition.

On the MDM console, for the device, in the "Knox password constraints" group, select "disable face".