Full Report
Google has launched a new feature called Identity Check for supported Android devices that locks sensitive settings behind biometric authentication when outside of trusted locations. "When you turn on Identity Check, your device will require explicit biometric authentication to access certain sensitive resources when you're outside of trusted locations," Google said in a post announcing the
Analysis Summary
# Best Practices: Enhanced Android Device Security via Identity Check
## Overview
These practices focus on leveraging Android's integrated "Identity Check" feature and associated security enhancements to protect sensitive device data and settings from unauthorized access, particularly when the device is outside of a user-defined trusted location.
## Key Recommendations
### Immediate Actions
1. **Enable Identity Check:** Immediately enable the Identity Check feature on supported devices (Android 15/One UI 7 compatible phones).
2. **Verify Location Trust:** Review and confirm the defined "trusted locations" within the Identity Check settings to ensure they accurately reflect safe environments (e.g., home or office).
3. **Activate Theft Detection Lock:** Ensure the AI-powered Theft Detection Lock feature is active on all relevant devices (Android 10 and later, globally for supported models).
### Short-term Improvements (1-3 months)
1. **Mandate Biometric Authentication for Sensitive Settings:** Confirm that accessing the following sensitive actions now *requires* biometric authentication when outside a trusted location:
* Accessing saved passwords/passkeys in Google Password Manager.
* Autofilling passwords in apps (excluding Chrome).
* Changing screen lock (PIN, pattern, password).
* Modifying biometric settings (Fingerprint/Face Unlock).
* Disabling "Find My Device."
* Disabling any theft protection features.
2. **Review Account Access Controls:** Explicitly verify that enhanced protection for Google Accounts is enabled to prevent unauthorized takeover when the device is potentially compromised or stolen.
3. **Audit Device Setup Permissions:** Ensure that setting up a new device using a current one, or adding/removing Google Accounts, is subject to Identity Check requirements.
### Long-term Strategy (3+ months)
1. **Phased Rollout Validation:** For organizations managing fleets of devices, pilot the deployment of Android 15/One UI 7 (or newer) proactively to ensure Identity Check compatibility and effectiveness before widespread OS upgrades.
2. **Promote Device Hardening:** Integrate the usage of robust security features like Identity Check, Theft Detection Lock, and Offline Device Lock into the overall mobile device security policy framework.
3. **Industry Collaboration:** Participate in or monitor industry efforts, such as those with the GSMA, regarding information sharing and prevention techniques to combat mobile device theft trends.
## Implementation Guidance
### For Small Organizations
- Prioritize the rollout of Identity Check immediately, focusing primarily on devices belonging to executives or individuals carrying sensitive data.
- Utilize built-in OS security features rather than complex third-party Mobile Device Management (MDM) solutions for this specific setting lock, due to its native support on supported Android versions.
### For Medium Organizations
- Develop standard operating procedures (SOPs) mandating user enrollment in Identity Check as part of the device onboarding process.
- Establish monitoring for attempts to change primary authentication methods (PIN/Biometrics) outside trusted zones as a potential indicator of physical compromise.
### For Large Enterprises
- Integrate Identity Check enforcement policies within Unified Endpoint Management (UEM) or MDM solutions, ensuring configurations are standardized across device types (Pixel, Samsung, etc.) where supported.
- Implement strict policies governing the definition and modification of "trusted places" across the organizational infrastructure.
- Ensure that Developer options access is also locked down, as this bypasses many standard security layers.
## Configuration Examples
**Enabling Identity Check (Path on Device):**
`Settings > Google > All services > Theft protection > Identity Check`
**Actions Requiring Biometric Authentication When Identity Check is Active and Outside a Trusted Location:**
* Access saved passwords/passkeys (Google Password Manager).
* Autofill passwords in third-party apps (Non-Chrome).
* Change screen lock settings.
* Change biometric settings.
* Run factory reset.
* Turn off Find My Device/Theft Protection features.
* View trusted places.
* Set up a new device with the current device.
* Add or remove a Google Account.
* Access Developer options.
## Compliance Alignment
The enforcement of strong authentication tied to location context aligns with foundational principles in several frameworks:
* **NIST Cybersecurity Framework (CSF):** Aligns with the **Protect (PR)** function (specifically PR.AC regarding access control) and enhances **Detection (DE)** capabilities by flagging anomalous attempts to disable protection.
* **ISO/IEC 27001:** Supports the controls related to access management and protection of information integrity (A.9 and A.12).
* **CIS Controls:** Supports principles around Mobile Device Security and Data Recovery/Incident Response preparation by making device reset significantly harder for unauthorized parties.
## Common Pitfalls to Avoid
- **Ignoring OS Version Limitations:** Attempting to enable Identity Check on devices running operating systems older than Android 15 or unsupported Samsung versions, leading to user frustration.
- **Over-reliance on Trusted Locations:** Defining too broad or unsecured a "trusted location" (e.g., a public Wi-Fi hotspot that is frequently visited), effectively neutralizing the benefit of the location-based check.
- **Failure to Update Theft Detection Lock:** Assuming the new Identity Check replaces the older AI-powered Theft Detection Lock; both should be layered for maximum benefit across broader device populations (Android 10+).
- **Forgetting Developer Options:** Assuming only settings changes are locked; access to Developer Options must also be blocked, as it can be used to debug or manipulate device state.
## Resources
- **Official Documentation Link (Path Reference):** Review the official support documentation for the exact navigational path on specific device models (Referenced in context as: `Settings > Google > All services > Theft protection > Identity Check`).
- **Theft Protection Features Documentation:** Consult the security blog posts describing interconnected features like Theft Detection Lock and Offline Device Lock for layered defense strategy.