3.2.1.26 Ensure 'Require Touch ID / Face ID authentication before AutoFill' is set to 'Enabled'

Information

This recommendation pertains to forcing re-authentication at each AutoFill operation.

Rationale:

A device may be accessed by an unauthorized user while unlocked. This recommendation provides defense-in-depth by forcing re-authentication before credentials will be populated by AutoFill.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Open Apple Configurator.

Open the Configuration Profile.

In the left window pane, click on the Restrictions tab.

In the right window pane, under the tab Functionality, check the checkbox for Require Touch ID / Face ID authentication before AutoFill.

Deploy the Configuration Profile.

Additional Information:

The benchmark remains intentionally silent on permitting the use of the local Apple Keychain, deferring to each institution to consider its own circumstances and associated risk.

See Also

https://workbench.cisecurity.org/benchmarks/6168