Back to top

Additional Advanced Access Control enhancements

For device users who need additional security features beyond the standard ones of Knox Enterprise, this release provides Advanced Access Control (AAC) enhancements. Knox 3.8 focuses on adding a touch dynamics factor. This factor analyzes the digital signatures generated when a human interacts with a device, commonly known as keystroke or typing patterns. This is to verify that the user typing on the device is the authorized primary user of the device. In cases where the user is determined not to be an authorized user, the Work Profile on the device is locked and access to sensitive data is immediately revoked.

Continuous Multi-Factor Authentication (CMFA) is used to automatically log users in to their phone and applications without needing their credentials at each log in. These enhancements add an extra layer of security for peace of mind.

How does the Advanced Access Control feature work?

In previous Knox versions, AAC protects Work Profile with face detection by auto lock. This release adds factors such as body detection and the user’s typing pattern. The solution works when the device is put on a flat surface or doesn’t detect any movements. When that happens, the solution will lock the Work Profile with the other factors. This feature also enables the device to learn the typing pattern of the user. If it detects a different typing style, the factor will report to the framework and lock the WP.

The framework uses the following factors to test the device’s trust score:

  • Face recognition factor that authenticates the user with facial recognition using the front facing camera.
  • Device integrity factor that calls the keystore attestation API to obtain integrity information from ICCC TA.
  • Touch Dynamics factor that uses commonly used keystroke pattern data to verify that the current user is an authorized user of the device and the work profile.

AAC Module Framework

Advanced Access Control is composed of an application layer, CMFA Framework and various authentication factors. The following table breaks down how each module interacts with each other in the framework.

Module Description
Applications
  • KSP Agent (MDM) manages the device, and starts or stops the CMFA service with the KSP configuration.
CMFA Framework
  • CMFA service gets the policy and calculates a trust score from the results of each factor such as the face factor and Knox security factor.
  • Updates the permission to the application by authentication profile.
  • Provides APIs for MDM app and KPE.
Face recognition factor
  • Periodically triggers face authentication with the device front camera and reports the result to the CMFA Framework.
Device integrity factor
  • Periodically checks the device integrity by calling the keystore attestation API that provides device integrity information from ICCC TA and reports to the CMFA Framework.
Touch dynamics factor (new)
  • Continuously checks that the current user's typing pattern matches that of the owner.

For more information on security factors such as Knox Biometrics, refer to the Biometric authentication documentation.

Is this page helpful?