2.12 Audit Touch ID and Wallet & Apple Pay Settings

Information

Apple has integrated Touch ID with macOS and allows fingerprint use for many common operations. All use of Touch ID requires the presence of a password and the use of that password after every reboot, or when more than 48 hours has elapsed since the device was last unlocked.

Touch ID is a prerequisite for using Apple Pay and Wallet on macOS. Apple Pay allows an Apple account holder to enroll their credit cards in Apple Pay and pay enrolled vendors without using the physical card or number. Apple's service eliminates the requirement to send the credit card number itself to the vendor. Apple Pay on a Mac allows the use of credit cards the user has already enrolled and reduces user risk for credit card purchases.

Rationale:

Touch ID allows for an account-enrolled fingerprint to access a key that uses a previously provided password.

Some environments may have rules around purchases from organizationally managed computers and may want to discourage shopping from them. It is difficult to block access to websites that allow purchases, and Apple Pay has more controls for user protection than the manual entry of credit card information.

Impact:

Touch ID is more convenient for use with aggressive screen lock controls.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Graphical Method:
Perform the following steps to set Touch ID to your organization's settings:

Open System Preferences

Select Touch ID

Select the Touch ID settings match your organization's settings

Open System Preferences

Select Wallet & Apple Pay

Select the Wallet & Apple Pay settings match your organization's settings

See Also

https://workbench.cisecurity.org/files/4176

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|IA-5(1), 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|4.4, CSCv7|5.1

Plugin: Unix

Control ID: cd4030c0d9847fe87f1e1ec513a59cb69dc67ea0275baddc22bb8ab961d8fcc6