3.2.1.23 Ensure 'Require Touch ID / Face ID authentication before AutoFill' is set to 'Enabled'

Information

This recommendation pertains to forcing re-authentication at each AutoFill operation.

Rationale:

A device may be accessed by an unauthorized user while unlocked. This recommendation provides defense-in-depth by forcing re-authentication before credentials will be populated by AutoFill.

Solution

Open Apple Configurator.

Open the Configuration Profile.

In the left windowpane, click on the Restrictions tab.

In the right windowpane, under the tab Functionality, check the checkbox for Require Touch ID / Face ID authentication before AutoFill.

Deploy the Configuration Profile.

Additional Information:

The benchmark remains intentionally silent on permitting the use of the local Apple Keychain; deferring to each institution to consider its own circumstances and associated risk.

See Also

https://workbench.cisecurity.org/files/3064