Back to top
Home / Samsung Knox / Samsung Knox white papers / Samsung Knox Mobile Security / System Security /

Biometric authentication

Last updated March 7th, 2025

Traditional user authentication relies on factors such as passwords or ID cards, which are susceptible to human errors, phishing, and duplication. Biometric authentication validates a personal trait, such as fingerprints, irises, or facial features, to enhance security. All biometric data collected by Samsung Knox complies with the highest security level as defined by Class 3 in Android.

Samsung Knox provides the following security features for biometric data protection:

  • Ensures that raw biometric data or its derivatives, such as templates, are never accessible outside the secure isolated environment, such as the Trusted Execution Environment (TEE) or Secure Element.

  • Encrypts all the stored biometric data using a device-specific key known only to the TEE.

  • Restricts hardware access to the secure isolated environment and its communication channels—Serial Peripheral Interface (SPI), Inter-Integrated Circuit (I2C)—based on device hardware support. Explicit Security-Enhanced Linux (SELinux) policies enforce this restriction on all device files.

Users must still enter a pattern, PIN or password as a backup to their biometrics.

  • Face recognition requires re-authentication every 24 hours or after the device has been idle for 4 hours.

  • Fingerprints require re-authentication every 72 hours.

For additional information, see biometric implementation in Android.

Enterprise controls for biometrics

This feature is only available on managed devices, and requires the use of an EMM or UEM.

The Knox Platform provides the following features in addition to standard Android capabilities:

  • Secure storage: On Samsung devices, biometric authentication software doesn’t share or distribute biometric measurements of any user. Measurements are stored in a format that prevents reproducing the original biometric, they can only be accessed and decoded within a specific TrustZone partition that has access to the biometric hardware. This prevents biometric spoofing.

  • Enforced Two-Factor Authentication (2FA): The Knox Platform enables IT admins to enforce biometric-based two-factor authentication for Work containers. For example, a user may be required to authenticate with iris recognition in addition to a standard device unlock method, such as password, PIN, or pattern. While Android supports some two-factor authentication combinations, the Knox Platform enables you to enhance security with biometric integration.

  • Enterprise credentials override: In accordance with enterprise policy, Samsung Knox devices allow you to enforce the use of enterprise Active Directory (AD) credentials for unlocking a device or Work container. This setting overrides any biometric authentication methods configured by the user, ensuring that enterprise credentials remain the sole authentication mechanism.

On this page

Is this page helpful?