This chapter covers mobile device security mechanisms—Face ID, PIN, and remote wipe—as tested on the CompTIA A+ 220-1101 exam (Objective 1.2: Mobile Devices). These authentication and data protection features are critical for securing devices in enterprise environments. Approximately 5-10% of exam questions touch on mobile device security, often asking about configuration, differences between methods, and appropriate use cases. By the end of this chapter, you'll understand how each mechanism works, when to use them, and how they interact with device management policies.
Jump to a section
Imagine a high-security hotel where each guest gets a key card that unlocks only their room. The card has a unique code, but the lock also requires a PIN (like Face ID or a passcode) to grant access. If a guest loses their card, the front desk can instantly deactivate it and issue a new one, preventing anyone from using the old card. This is like a remote wipe: the IT admin can remotely erase a lost phone. Face ID is like the hotel's facial recognition at the door—it only unlocks for the registered guest. A PIN is like the room safe combination: simple but effective if changed regularly. The hotel's system logs every access attempt, just as mobile devices log authentication events. If a guest fails to enter the correct PIN three times, the lock temporarily disables (like device lockout). The hotel manager can remotely lock all doors in an emergency—similar to an enterprise remote lock command. The key difference is that a lost key card can be deactivated without erasing the room's contents, but a remote wipe destroys all data on the device, like burning the room's contents. This analogy underscores that mobile security is about balancing convenience (quick access) with protection (preventing unauthorized entry).
What Are Mobile Device Security Mechanisms?
Mobile device security mechanisms—Face ID, PIN, and remote wipe—are essential tools for protecting data on smartphones and tablets. They fall under the broader category of device authentication and data protection. The CompTIA A+ 220-1101 exam expects you to know their purpose, how they work, and how they are configured or triggered.
Face ID is a facial recognition system introduced by Apple with the iPhone X. It uses a TrueDepth camera system to map the user's face with over 30,000 invisible dots, creating a depth map and an infrared image. This data is processed by the Secure Enclave (a dedicated hardware security processor) and compared against enrolled face data. Face ID is designed to adapt to changes in appearance (e.g., glasses, beard) but requires attention detection—the user must look at the device with open eyes. It can be used to unlock the device, authorize Apple Pay, and access password-protected apps.
PIN (Personal Identification Number) is a numeric passcode, typically 4-6 digits on iOS and 4-16 digits on Android. It is the simplest form of device lock. On iOS, a longer alphanumeric passcode can be set for stronger security. The PIN is stored in the device's secure enclave and is used to encrypt the device's data. If the device is lost or stolen, the PIN prevents unauthorized access. PINs are vulnerable to shoulder surfing and brute-force attacks, so devices often enforce lockout after multiple failed attempts.
Remote wipe is the ability to erase all data on a device from a remote location, typically triggered via an enterprise mobile device management (MDM) solution or a cloud service like Find My iPhone (iOS) or Find My Device (Android). This is a last-resort security measure when a device is lost or stolen and the data is sensitive. Remote wipe can be a full factory reset or a selective wipe of corporate data only (when using MDM with containerization).
How They Work Internally
Face ID Mechanism: 1. The TrueDepth camera projects over 30,000 infrared dots onto the user's face. 2. An infrared camera captures the dot pattern, creating a depth map and a 2D infrared image. 3. This data is sent to the Secure Enclave, which compares it against the enrolled face data using neural network algorithms. 4. If the match succeeds and attention is detected (eyes open, looking at screen), the device unlocks. 5. The face data is encrypted and stored only in the Secure Enclave—never in the cloud or accessible to iOS.
PIN Mechanism: - On iOS, the device uses the PIN to derive an encryption key via PBKDF2 (Password-Based Key Derivation Function 2) with many iterations. This key is used to decrypt the device's data protection class keys. - On Android, the PIN is used similarly with the KeyStore and Gatekeeper. The PIN is hashed and stored in a secure area. - After a certain number of incorrect attempts (configurable, default 10 on iOS), the device can be set to wipe itself.
Remote Wipe Mechanism: - An MDM server sends a wipe command to the device via push notification (APNs for iOS, FCM for Android). - The device receives the command and initiates a factory reset, which overwrites the encryption keys, making data unrecoverable. - For selective wipe, the MDM removes corporate apps and data from a managed container, leaving personal data intact. - On iOS, Find My iPhone can trigger a remote wipe from iCloud.com. The device must be online to receive the command.
Key Components, Values, and Defaults
Face ID: Requires iPhone X or later; iPad Pro (3rd gen) or later. It can be used for up to two faces. Attention detection is on by default. Face ID will not work if the device is in lost mode or if the user has not looked at the device for a while (attention aware).
PIN: iOS allows 4-digit, 6-digit, or custom alphanumeric passcodes. Default is 6-digit. Android allows 4-16 digit PINs. After 10 failed attempts, iOS can be set to wipe (default is off). On Android, the lockout time increases after repeated failures.
Remote Wipe: Can be initiated via MDM, Find My iPhone, Find My Device, or Exchange ActiveSync (for corporate email). On iOS, a remote wipe is irreversible—the device cannot be recovered. On Android, a factory reset can be undone if the device is still logged into the Google account (Factory Reset Protection).
Configuration and Verification
Configuring Face ID on iOS: - Go to Settings > Face ID & Passcode. - Enroll face by following on-screen instructions (rotate head slowly). - Toggle options for iPhone Unlock, iTunes & App Store, Apple Pay, etc.
Configuring PIN on iOS: - Settings > Face ID & Passcode > Turn Passcode On. - Choose 4-digit, 6-digit, or custom code. - Set Erase Data option to wipe after 10 failed attempts.
Configuring PIN on Android: - Settings > Security > Screen lock > PIN. - Enter desired PIN. - Set lock screen timeout and automatic lock.
Remote Wipe via MDM: - Admin console sends 'Wipe' command. - Device must be enrolled in MDM and online. - Verify by checking device status in MDM dashboard (e.g., 'Wipe pending' or 'Wipe successful').
Remote Wipe via Find My iPhone: - Go to iCloud.com/find. - Select device and click 'Erase iPhone'. - Confirm with Apple ID password. - The device will wipe when online.
Interaction with Related Technologies
MDM: Manages device policies, including passcode complexity, Face ID enrollment, and remote wipe triggers. MDM can enforce PIN length and lockout policies.
Biometric Authentication: Face ID and Touch ID are alternatives to PIN. They are more convenient but less secure than a strong passcode because they can be bypassed (e.g., with a photo, though Face ID is resistant). On the exam, know that biometrics are not a substitute for a strong passcode—the device still requires a passcode to enroll biometrics.
Encryption: On iOS, data is encrypted by default when a passcode is set. The passcode is used to generate the encryption key. Without the passcode, data cannot be decrypted. Remote wipe destroys the encryption keys.
Factory Reset Protection (FRP): On Android, after a remote wipe, the device requires the original Google account credentials to set up again. This prevents unauthorized use after a wipe.
Exam Tips
Know that Face ID uses infrared projection, not visible light. It works in the dark.
Understand that a PIN is the fallback authentication method when Face ID fails (e.g., after restart, after 48 hours of non-use, after 5 failed Face ID attempts).
Remote wipe is a last resort—it cannot be undone. For iOS, the device must be connected to the internet. For Android, the device must be signed into a Google account.
The exam may ask which security method is best for a given scenario: Face ID for convenience, PIN for simplicity, remote wipe for lost devices.
Traps: Candidates often think Face ID is more secure than a PIN. In reality, a complex alphanumeric passcode is more secure because it's not susceptible to facial similarity. Also, remote wipe does not affect the SIM card or external storage (if any).
Enroll Face ID on iOS
The user goes to Settings > Face ID & Passcode and selects 'Set Up Face ID'. The TrueDepth camera begins scanning the user's face. The device instructs the user to rotate their head slowly to capture the face from multiple angles. The camera projects over 30,000 infrared dots and captures the depth map. This data is processed in the Secure Enclave to create a mathematical representation of the face, which is encrypted and stored locally. The enrollment process requires two scans for accuracy. Once complete, Face ID is active for unlocking the device and apps that support it.
Authenticate with Face ID
When the user wakes the device (e.g., by raising it or tapping the screen), the TrueDepth camera scans the face. It projects infrared dots and captures the pattern. The Secure Enclave compares the live scan against the enrolled face data. If the match is within the threshold and attention is detected (eyes open, looking at the screen), the device unlocks. If attention is not detected (e.g., eyes closed), the unlock fails. After five failed attempts, the device falls back to requiring the passcode. Face ID also requires the passcode after a restart or after 48 hours of non-use.
Set PIN on Android
The user navigates to Settings > Security > Screen lock and selects PIN. They enter a numeric code (4-16 digits) and confirm it. The device stores a salted hash of the PIN in the Gatekeeper secure area. The PIN is used to derive an encryption key for the device's credential storage and full-disk encryption (if enabled). The user can set lock screen timeout (e.g., 30 seconds) and automatic lock (e.g., immediately when sleep). The PIN is the primary authentication method; biometrics are secondary.
Trigger Remote Wipe via MDM
An IT administrator logs into the MDM console and selects the lost device. They issue a 'Wipe' or 'Erase' command. The MDM server sends a push notification via APNs (Apple) or FCM (Google) to the device. The device receives the command and confirms with the MDM server. The device then initiates a factory reset, which overwrites the encryption key storage area, making all data unrecoverable. The device reboots and goes through the initial setup process. On Android, Factory Reset Protection may require the original Google account to proceed.
Remote Wipe via Find My iPhone
The user or admin goes to iCloud.com/find and signs in with the Apple ID. They select the lost device from the list and click 'Erase iPhone'. A confirmation dialog appears, warning that all data will be erased. After confirming, Apple's servers send a wipe command to the device via APNs. The device must be online. If offline, the wipe will execute when the device next connects. The device displays a message that it is being erased. The process is irreversible. After the wipe, the device cannot be tracked via Find My iPhone.
Enterprise Deployment Scenarios
Scenario 1: Corporate-Owned Devices with MDM A company issues iPhones to its sales team. The IT department uses an MDM solution like Jamf Pro or Microsoft Intune to enforce security policies. All devices must have a 6-digit PIN enabled, and Face ID is optional. The PIN complexity policy requires at least one non-repeating digit. The MDM also enables 'Erase Data' after 10 failed attempts. If a salesperson's phone is lost, the IT admin can remotely wipe the device from the MDM console. The wipe command is sent via APNs, and the device is erased immediately if online. The company also uses a selective wipe for corporate data only, preserving personal apps and photos. A common issue is that users disable Face ID to save battery, but the PIN remains mandatory. The MDM reports compliance status; non-compliant devices are quarantined from corporate email.
Scenario 2: BYOD with Containerization A hospital allows nurses to use personal Android phones for work. The IT department deploys an MDM with a work profile container (Android Enterprise). The work profile enforces a separate PIN (6-digit) for accessing work apps. Face ID is not available on Android, but fingerprint or face unlock (if supported) can be used for the work profile. If a nurse loses their phone, the IT admin can perform a selective wipe of the work profile, removing hospital data without affecting personal data. The remote wipe command is sent via FCM. A challenge is that the device must be online and the work profile must be active. If the nurse changes their personal PIN, the work profile remains locked. The MDM can also enforce a device-level PIN of at least 4 digits for the entire phone.
Scenario 3: Education with Shared iPads A school uses shared iPads in classrooms. Each student logs in with a managed Apple ID. The iPads are configured with a simple 4-digit PIN for quick access. Face ID is disabled because multiple users share the device. The school uses an MDM to push a configuration profile that sets the PIN to expire every 90 days. If a student forgets their PIN, the teacher can reset it via the MDM. Remote wipe is reserved for stolen devices. When a wipe is triggered, the device is erased and re-enrolled in MDM automatically upon setup. The school must ensure the iPads are connected to Wi-Fi to receive wipe commands. A pitfall is that if the device is offline for an extended period, the wipe command may be delayed, leaving data exposed.
What the 220-1101 Exam Tests
The CompTIA A+ 220-1101 exam covers mobile device security under Objective 1.2: 'Given a scenario, install and configure mobile device security.' Specifically, you must know how to configure and use Face ID, PIN, and remote wipe. The exam questions are typically scenario-based: 'A user lost their phone with sensitive corporate data. Which security feature should be used?' The correct answer is 'Remote wipe'. Another common question: 'Which authentication method provides the strongest security?' The answer is 'A complex alphanumeric passcode', not Face ID. Face ID is convenient but not as secure.
Common Wrong Answers and Traps
Face ID is the most secure authentication. Many candidates think biometrics are more secure because they are unique. However, a long passcode is more secure because it cannot be spoofed with a photo or video. Face ID has a false match rate of about 1 in 1,000,000, but a 6-digit PIN has a 1 in 1,000,000 chance of being guessed (if no lockout). A longer alphanumeric passcode is exponentially stronger.
Remote wipe can be reversed. Some candidates think a remote wipe is like a factory reset that can be undone. In reality, a remote wipe destroys the encryption keys, making data unrecoverable. On iOS, it is irreversible. On Android, Factory Reset Protection can be bypassed by the original owner, but the data is still gone.
Face ID works with a photo. The exam tests that Face ID uses depth mapping and infrared, so a 2D photo cannot fool it. Some older Android face unlock (not Face ID) could be tricked with a photo, but Apple's Face ID is more secure.
PIN and passcode are the same. The exam uses 'PIN' for numeric codes and 'passcode' for alphanumeric. A passcode is more secure.
Specific Numbers and Terms
Face ID uses over 30,000 infrared dots.
PIN: default 6-digit on iOS, 4-digit on Android (though can be longer).
Erase Data after 10 failed attempts (iOS, default off).
Remote wipe requires internet connection.
Face ID requires attention detection (eyes open).
After 48 hours of non-use or 5 failed attempts, Face ID requires passcode.
Edge Cases
If a device is offline, remote wipe will occur when it next connects. This can be a security gap if the device remains offline indefinitely.
On Android, if the device is factory reset without first removing the Google account, Factory Reset Protection (FRP) locks the device. This is a security feature but can be a nuisance if the device is legitimately resold.
For corporate devices, MDM can enforce a PIN history policy (e.g., cannot reuse last 5 PINs).
How to Eliminate Wrong Answers
If the question asks for 'authentication to unlock the device', eliminate options that are not authentication (e.g., remote wipe).
If the question mentions 'lost device with sensitive data', the answer is remote wipe or remote lock.
If the question asks for 'most secure', choose the longest alphanumeric passcode, not biometrics.
If the question involves 'corporate email on personal device', consider selective wipe via MDM.
Face ID uses over 30,000 infrared dots and a depth map, not a simple camera image.
A PIN is a numeric code; a passcode is alphanumeric and more secure.
Remote wipe is a last-resort measure that erases all device data and cannot be undone.
Remote wipe requires the device to be online (connected to Wi-Fi or cellular).
On iOS, after 10 failed passcode attempts, the device can be set to erase all data (Erase Data option).
Face ID requires attention detection (eyes open) to prevent unauthorized unlocking.
After a restart or 48 hours of non-use, Face ID requires the passcode to be entered first.
On Android, Factory Reset Protection (FRP) prevents unauthorized use after a remote wipe.
MDM can enforce PIN complexity, enable remote wipe, and perform selective wipes for corporate data.
Biometric authentication (Face ID) is a convenience feature, not a replacement for a strong passcode.
These come up on the exam all the time. Here's how to tell them apart.
Face ID
Uses biometric facial recognition with infrared dot projection
More convenient—unlocks instantly when looking at the device
Cannot be shared or guessed, but can be spoofed with a mask (rare)
Requires attention detection (eyes open) to prevent unlocking while asleep
Falls back to passcode after 5 failed attempts, 48 hours of non-use, or after restart
PIN/Passcode
Requires manual entry of numeric or alphanumeric code
Less convenient but more secure if complex
Can be shared intentionally or observed via shoulder surfing
No attention detection—anyone who knows the code can unlock
No fallback—always required; lockout after repeated failures (e.g., 10 attempts to wipe)
Mistake
Face ID is more secure than a strong passcode.
Correct
A strong alphanumeric passcode is more secure because it cannot be bypassed by a similar-looking person or a high-resolution photo. Face ID has a false match rate of 1 in 1,000,000, but a 10-character complex passcode has 94^10 possible combinations—far more secure.
Mistake
Remote wipe deletes everything including the SIM card and SD card.
Correct
Remote wipe only erases the internal storage (and encryption keys). The SIM card and any external SD card are not affected. The SIM remains active unless deactivated by the carrier separately.
Mistake
A PIN is the same as a passcode.
Correct
A PIN is a numeric code (typically 4-6 digits), while a passcode can include letters and special characters. The exam uses 'passcode' for alphanumeric and 'PIN' for numeric. Passcodes are more secure.
Mistake
Face ID works in the dark because it uses visible light.
Correct
Face ID uses infrared projection and an infrared camera, so it works in complete darkness. It does not rely on visible light.
Mistake
Remote wipe can be undone if the device is recovered.
Correct
Remote wipe is irreversible. Once executed, all data is erased and cannot be recovered. The device can be set up as new, but the data is gone.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Face ID is designed to resist spoofing with photos or masks. It uses depth mapping and infrared, so a 2D photo cannot fool it. However, identical twins or very close family members may be able to unlock each other's devices. The probability is low but possible. Apple states the false match rate is 1 in 1,000,000. For high-security needs, use a complex passcode.
If you forget your iPhone passcode, you must erase the device using a computer with iTunes or Finder (or use recovery mode). This will delete all data. There is no way to recover the passcode due to encryption. To avoid data loss, regularly back up your device.
You can remotely wipe an Android device using Find My Device (android.com/find). Sign in with the Google account on the device, select the device, and choose 'Erase device'. The device must be online and have Find My Device enabled. Alternatively, an MDM can send a wipe command.
Once a remote wipe command is sent and received by the device, it cannot be canceled. The device will proceed with the wipe. If the device is offline, the command is pending and could theoretically be canceled by the MDM before the device comes online, but this is not guaranteed. On iCloud, there is no cancel option after confirming.
Face ID works with most sunglasses, but some polarized lenses may interfere with the infrared projection. If Face ID fails, it will prompt for the passcode. You can set up an alternate appearance (e.g., with glasses) in Face ID settings.
Remote wipe erases all data on the device, making it unrecoverable. Remote lock simply locks the device with a new passcode and displays a custom message (e.g., 'Return to...'). Remote lock does not delete data. The exam may test that remote lock is a less destructive option.
Selective wipe (or corporate wipe) removes only the managed corporate data from a device, such as email profiles, VPN configurations, and managed apps. Personal data (photos, personal apps) remains. This is used in BYOD scenarios. The MDM sends a command to remove the management profile and associated data.
You've just covered Mobile Device Security: Face ID, PIN, Remote Wipe — now see how well it sticks with free 220-1101 practice questions. Full explanations included, no account needed.
Done with this chapter?