Knox Authentication Manager

Knox Authentication Manager (KAM) is a managed app for shared Samsung devices that provides multiuser facial biometrics and sign-in automation for increased frontline worker productivity and safety. This allows end users to speed-up shared device sign-ins, securely syncs user profiles across shared devices, and eliminates authentication friction by saving and automatically filling user credentials for any productivity app that requires manual sign-in. Profile syncing enables users to enroll once on a single device, then pick up any other device and instantly make it their own for the duration of their shift.

KAM leverages the Knox platform to ensure a high bar of security for our customers:

• Application Package (APK) Security: Knox Device Health Attestation, code obfuscation, and access control ensures the app only runs on registered and trusted devices.
• Data-At-Rest Encryption: A three-layer encryption model ensures authorization to access Knox Authentication Manager data is checked at every stage. Separate encryption layers are specifically implemented for unlocking the device (credential encryption), unlocking Knox Authentication Manager on the device (device unique key in KeyStore), and for each user profile (user PIN or password).
• Data-In-Transit Encryption: All encrypted user profile data is shared by a secure channel over Transport Layer Security (TLS) 1.3.
• Device Management: Admins can use various unified endpoint management (UEM) policies to help establish security baselines across their devices. In addition, as devices running KAM must be enrolled as fully managed devices in Android Enterprise, IT admins can remotely wipe the device if it is lost or stolen.

For more information on how to leverage Knox Authentication Manager in your enterprise, see the Knox Authentication Manager admin guide.

User profiles and syncing

Prior to deploying user profile syncing, all authorized devices must be enrolled into Knox Authentication Manager and assigned a device group.

User facial data and sign-in information in KAM profiles:

• Requires end user consent: Data is always encrypted at rest. Transit and keys needed to unlock data are derived ephemerally. Employees can opt-out of face login, reset their Knox Authentication Manager credentials, and delete their user profile at any time.
• Never leaves customers’ business devices: Knox Authentication Manager never shares profile data directly to the customer, Samsung or its subsidiaries, or any third party. KAM achieves this by leveraging device-to-device syncing of profile data.
• Can be managed by IT admins: Through a managed application configuration, IT admins can enable or disable face login, both locally (e.g., per facility) or globally. In addition, they can implement a timeout period to automatically remove unused profiles in the event where an employee moves between device groups or leaves the company.
• Is limited to only necessary data: Each profile contains sign-in information for selected work applications (identity provider or Active Directory credentials) and facial data (after user consent). An end user can also choose to opt out of storing their credentials in selected work applications if desired.

Prior to syncing of user profiles across devices, devices with Knox Authentication Manager installed (via Google Managed Applications) must enroll themselves into the KAM server. Samsung Knox maintains a list of shared devices in an online server for device-to-device syncing based on the organization and the device group.

Upon enrollment, device boot-up, IP Address change, or a forced sync action, the device sends its encrypted IP Address to the KAM server. This IP Address is used to sync with other devices in the group. When the device group list changes, each device receives an updated list of device addresses in its group.

Once each device has a device address list for its organization and group, it can begin syncing credentials. Credential syncings between devices triggers when the device is plugged into power and on the same Wi-Fi subnet. A common example is when users return devices to docking stations at the end of a work shift.