AIOS-17-706950 - Apple iOS/iPadOS 17 must be configured to enforce a passcode reuse prohibition of at least two generations.

Information

iOS/iPadOS 17 includes a new feature that allows the previous passcode to be valid for 72 hours after a passcode change. If the previous passcode has been compromised and the attacker has access to it and the Apple device, enterprise data and the enterprise network can be compromised. Currently there is no MDM control to force the old passcode to expire immediately after passcode change. The previous passcode will expire immediately after a passcode change if the MDM password history control is implemented.

SFR ID: FMT_SMF_EXT.1.1 #47

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Install a configuration profile to enforce a passcode reuse prohibition of at least two generations (passcode history).

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_iOS-iPadOS_17_BYOAD_Y24M02_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(e), CAT|I, CCI|CCI-000200, Rule-ID|SV-259768r943629_rule, STIG-ID|AIOS-17-706950, Vuln-ID|V-259768

Plugin: MDM

Control ID: db8e5fffde0d9f8d89345943bc4bb636543061219c19e1bc1c7c0b3416c40efd