APPL-12-003020 - The macOS system must use multifactor authentication for local access to privileged and non-privileged accounts.

Information

Without the use of multifactor authentication, the ease of access to privileged and non-privileged functions is greatly increased.

Multifactor authentication requires using two or more factors to achieve authentication.

Factors include:
1) something a user knows (e.g., password/PIN);
2) something a user has (e.g., cryptographic identification device, token); and
3) something a user is (e.g., biometric).

A privileged account is defined as an information system account with authorizations of a privileged user.

Local access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

The DoD CAC with DoD-approved PKI is an example of multifactor authentication.

Satisfies: SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000068-GPOS-00036

Solution

This setting is enforced using the 'Smart Card Policy' configuration profile.

Note: Before applying the 'Smart Card Policy', the supplemental guidance provided with the STIG must be consulted to ensure continued access to the operating system.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_12_V1R9_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(3), 800-53|IA-2(4), 800-53|IA-5(2)(c), CAT|I, CCI|CCI-000187, CCI|CCI-000767, CCI|CCI-000768, Rule-ID|SV-252527r982203_rule, STIG-ID|APPL-12-003020, Vuln-ID|V-252527

Plugin: Unix

Control ID: 9496c26730e09147323622fb62b7d39b8f5f6b9c2ed387faa82837902436bcf5