Apple iOS/iPadOS 18 must be configured to enforce a passcode reuse prohibition of at least two generations.

Description

<VulnDiscussion>iOS-iPadOS 17 and later versions include a feature that allows the previous passcode to be valid for 72 hours after a passcode change. If the previous passcode has been compromised and the attacker has access to it and the Apple device, enterprise data and the enterprise network can be compromised. Currently there is no MDM control to force the old passcode to expire immediately after passcode change. The previous passcode will expire immediately after a passcode change if the MDM password history control is implemented. SFRID: FMT_SMF.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>