Information
Apple has integrated Touch ID with macOS and allows fingerprint use for many common operations. All use of Touch ID requires the presence of a password and the use of that password after every reboot, or when more than 48 hours has elapsed since the device was last unlocked.
Touch ID is a prerequisite for using Apple Pay and Wallet on macOS. Apple Pay allows an Apple account holder to enroll their credit cards in Apple Pay and pay enrolled vendors without using the physical card or number. Apple's service eliminates the requirement to send the credit card number itself to the vendor. Apple Pay on a Mac allows the use of credit cards the user has already enrolled and reduces user risk for credit card purchases.
Rationale:
Touch ID allows for an account-enrolled fingerprint to access a key that uses a previously provided password.
Some environments may have rules around purchases from organizationally managed computers and may want to discourage shopping from them. It is difficult to block access to websites that allow purchases, and Apple Pay has more controls for user protection than the manual entry of credit card information.
Impact:
Touch ID is more convenient for use with aggressive screen lock controls.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Graphical Method:
Perform the following steps to set Touch ID to your organization's settings:
Open System Preferences
Select Touch ID
Select the Touch ID settings match your organization's settings
Open System Preferences
Select Wallet & Apple Pay
Select the Wallet & Apple Pay settings match your organization's settings
Item Details
Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|IA-5(1), 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|4.4, CSCv7|5.1
Control ID: cd4030c0d9847fe87f1e1ec513a59cb69dc67ea0275baddc22bb8ab961d8fcc6