by Heath Gieson

Some attacks are sophisticated. Weeks of reconnaissance, carefully crafted phishing emails, vulnerabilities quietly exploited in the background. But some of the easiest wins for an attacker require nothing more than a moment of opportunity and an unlocked screen.

CIS Control 4.3 is about closing that window. General-purpose devices must lock after no more than 15 minutes of inactivity. Mobile devices drop to 2 minutes. The requirement is simple. What makes it worth talking about is the broader conversation it opens up about how users re-authenticate when that screen locks, because if re-authentication is painful, users will find ways around the policy. The answer is not a weaker policy. The answer is making authentication faster and more secure than a password ever was.

Why This One Is Different

Session locking sits at the intersection of physical security and digital security, which makes it one of the more interesting controls in IG1. It does not account for technology failing. It accounts for people being people. The unlocked laptop at a coffee shop, the unattended workstation in a shared office, the tablet at the front desk while someone steps away for five minutes. None of those scenarios require a hacker. They just require proximity and a moment.

That is what 4.3 is designed to address.

 

Windows Hello and Windows Hello for Business

Most business environments run Windows, so this is the right place to start.

Windows Hello supports face recognition using an infrared camera, fingerprint scanning, and a device-bound PIN. The PIN is worth clarifying because it confuses people. It is not a password. It is tied to the specific device and stored in the device’s Trusted Platform Module (TPM) chip, which means it cannot be stolen from a server or used on another machine. Face recognition uses near-infrared imaging that works in varied lighting and resists spoofing attempts with a photograph. For most users, unlocking a locked screen becomes a glance. That kind of experience actually reduces resistance to the policy.

There is an important distinction between Windows Hello and Windows Hello for Business that is worth understanding. The consumer version works well for personal devices and local accounts. Windows Hello for Business is built for enterprise environments. It integrates with Microsoft Entra ID and Active Directory, uses certificate or key-based authentication instead of passwords, and can be deployed and enforced centrally through Intune or Group Policy. It also supports conditional access policies so you can require device compliance before granting access. For any organization running Microsoft 365, Windows Hello for Business is the right deployment target.

 

macOS, iPhone, and iPad

For Mac users, Touch ID delivers the same experience. Fingerprint data is processed and stored in Apple’s Secure Enclave, isolated from the rest of the operating system, and never leaves the device. A locked screen becomes a finger press. The friction that causes users to push back on lock policies largely disappears.

macOS devices can be enrolled in Microsoft Intune and managed alongside Windows endpoints, so your configuration standard stays consistent across platforms regardless of what hardware your team is running.

On iPhone and iPad, Face ID and Touch ID work the same way. The Secure Enclave handles biometric processing, and the re-authentication experience is fast enough that a 2-minute lock policy creates minimal friction in daily use.

 

Android Devices

Modern Android devices support fingerprint and facial recognition, and enterprise deployments through Android Enterprise or Samsung Knox allow IT administrators to enforce lock screen policies across managed devices. If you are using Intune for mobile device management, these policies can be pushed from the same console as your Windows and Mac standards. Consistent management across platforms is the goal, and the tooling to get there is already in most organizations’ hands.

 

A Quick Note on Hardware Security Keys

For privileged users, IT administrators, and anyone with access to sensitive systems, hardware security keys like YubiKeys are worth a mention. A YubiKey stores cryptographic credentials, requires physical presence to authenticate, and supports FIDO2 standards that integrate with Microsoft 365 and Entra ID. There is no password to steal and the key must be physically present to work. For most users, biometrics are the right answer. For your highest-risk accounts, pairing biometrics with a hardware key is a practical and defensible upgrade.

 

Making This Actionable

This does not need to be a big project. Here is a straightforward path:

• Windows: Deploy Windows Hello for Business through Intune or Group Policy. Enforce the 15-minute lock timeout at the policy level so it is not left to individual users.
• macOS: Use your MDM to enforce screen lock settings and confirm Touch ID is enabled on managed devices.
• Mobile: Push a 2-minute lock timeout to all managed iOS and Android devices. Confirm biometric authentication is configured for the work profile.
• Privileged accounts: Evaluate hardware security keys as a complement to biometrics for your highest-risk users.
• Communicate the why. When users understand that Face ID and Touch ID make re-authentication faster than typing a password, the pushback on lock policies drops significantly. When they understand that a 2-minute mobile timeout is the difference between a lost phone and a data breach, the conversation changes.

 

The Bottom Line

CIS 4.3 is one of the easiest controls to understand and one of the easiest to let slide. The 15 and 2-minute thresholds exist because unattended devices are a real and common attack vector, and the window between someone stepping away and someone else sitting down is shorter than most people think.

The good news is that biometric authentication on Windows, Mac, iOS, and Android has matured to the point where locking a screen and getting back in takes less time than typing a password. There is no meaningful tradeoff between security and convenience here anymore. You just have to turn it on and enforce it.

At Forthright Technology Partners, we help organizations configure and enforce device security policies across Windows, Mac, and mobile environments. If you are not sure how your current lock screen policies stack up, that is a conversation worth having.