APPL-11-003020 - The macOS system must use multifactor authentication for local access to privileged and non-privileged accounts.

Information

Without the use of multifactor authentication, the ease of access to privileged and non-privileged functions is greatly increased.

Multifactor authentication requires using two or more factors to achieve authentication.

Factors include:
1) something a user knows (e.g., password/PIN);
2) something a user has (e.g., cryptographic identification device, token); and
3) something a user is (e.g., biometric).

A privileged account is defined as an information system account with authorizations of a privileged user.

Local access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

The DoD CAC with DoD-approved PKI is an example of multifactor authentication.

Satisfies: SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000068-GPOS-00036

Solution

This setting is enforced using the 'Smart Card Policy' configuration profile.

Note: Before applying the 'Smart Card Policy', the supplemental guidance provided with the STIG must be consulted to ensure continued access to the operating system.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_11_V1R5_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(3), 800-53|IA-2(4), 800-53|IA-5(2)(c), CAT|I, CCI|CCI-000187, CCI|CCI-000767, CCI|CCI-000768, Rule-ID|SV-230838r599842_rule, STIG-ID|APPL-11-003020, Vuln-ID|V-230838

Plugin: Unix

Control ID: 973986383c908928382ed3da6068594abfa5e76dd3d9c011a877e3e0e227d99c