Authentication - No Allowance of Unlocking a Mobile Device as a Valid Authentication Factor, v1.0

Unlocking a smart phone device must not be considered an authentication factor, as a verifier cannot verify this was done.

Assessment Step

Unlock Not Second Factor (UnlockNotSecondFactor)
Is unlocking of a mobile device NOT used or assumed as a single factor in a multi-factor authentication scheme
Provide evidence (e.g. policies, operational details) that the authentication scheme does not rely on unlocking of a mobile device as an authentication factor.

Conformance Criteria (1)

When a device such a smartphone is used in the authentication process, the unlocking of that device (typically done using a PIN or biometric) SHALL NOT be considered one of the authentication factors. Generally, it is not possible for a verifier to know that the device had been locked or if the unlock process met the requirements for the relevant authenticator type.
NIST SP 800-63B
Sections 4.2.2 and 4.3.2