Risk Management

Two-factor authentication and smart cards for the DOD

two-factor authentication

From not so long ago, as shown in Peter Steiner’s cartoon, as published in The New Yorker.  One dog to another, “On the Internet, nobody knows you’re a dog.”

I remember this from the late 90s to early 2000s; you remember those dot-bomb days? And yes, who cares if I am dating myself!

At the time, I started working in sales and my company Xcert International had this awesome Public Key Cryptography (PKI) software that competed against the likes of Entrust and Netscape, that could help people, at least in the U.S. Federal and the Department of Defense (DOD) for starters, to start moving away from username and passwords, and start using a smart card, two-factor authentication something you have your CAC/PIV Smart Card and something you know your PIN–very basic two-factor authentication overview. I know, but you get the idea.

Two-factor authentication isn’t just for techies

Two-factor authentication isn’t just for the techies anymore like it used to be. As more and more internet-savvy generations blossom, they will see the importance and are already seeing it today as most digital users are exposed to it at some point.

Whether it’s for your video game cell phone account, etc. more and more applications and vendors are utilizing some form of two-factor authentication.

SMS is useful as everybody has a phone and is attached to it all day long but not always the most secure for many reasons such as who knows who has your phone now like a sibling who wants to avenge something. How about a one-time passcode application running on that phone now where talking! Better yet in DOD or Federal Gov’t put a sled on that mobile device so a CAC or PIV can be used to authenticate to that iPad, Android or iPhone.

READ MORE: Read how API authentication and pricing affect stream rank.

As everybody was getting away from everything being on local mainframes and local storage, and networks started spreading, and the internet crawl recovered and turned to sprawl from the dot-bomb days, the world of two-factor authentication importance started to take hold. I know this because I was trying to sell RSA SecurID and also RSA Keon PKI, which was really Xcert PKI that RSA acquired.  Everywhere I went, everybody was kicking the tires on PKI, but few were implementing and deploying outside their labs, other than DOD.


DOD rolled out the CAC card and realized there are many benefits like much less help desk calls which are cut down for handling passwords that users forgot or expired, securer networks. After all, username and password access cut off and axed that vulnerability of easily getting username and password from social engineering. Or, better yet, from bad software which you know can accidentally come from the good guys sometimes mistakenly exploited!

Once DOD deployed CAC they also started to realize the benefits of having the ability to use CAC/PIV smart card authentication for other than just logical access to their secure domain but also to websites and other applications that used CAC authentication.

And a bonus, it can also be used for physical access which has mostly stayed the same with solutions that are Radio Frequency Based (RFID) based. We didn’t sell a lot of PKI back then late 90s early 2000s, but just about every customer we tried selling PKI to was using one-time passcodes, mostly RSA SecurID Key Fobs and the admin with most key fobs around his or her neck was usually the leader of the tech team. Ah, those were the days!

We didn’t have to sell PKI back then to be successful as the key fobs were selling themselves as every VPN admin had at least one and multiply that throughout and you’re looking at many key fobs, almost like the most flair in Office Space or that’s what it reminds me of.

Come a long way!

We have come a long way and without referencing any numbers, what you will find is that the DOD has implemented and deployed across all branches, CAC card logon for logical access, smart card login to domains, websites, e-mails, and other homegrown or third-party apps that support CAC/PIV smart card login.

Although DOD says they are moving away from the CAC Card, chances are the next solution will be a PKI-based solution whether it is on a smart card or you have to use other forms of authentication, DNA, fingerprint, voice, Retina, so many choices now I give up but you know what I mean. On the Federal side, the DHS HSPD-12 creators have not done as well deploying throughout but have come a long way.

Many suggest the problem in Federal had to do with it not being a funded program but much more emphasis coming from OIG and getting systems Authority to Operate (ATO), Certification and Accreditation, which are helping to push to make sure they continue implementing PIV and at a better rate and punish those agencies that aren’t stepping up to the plate to help secure our government and its resources.

Find out more about authentication authorization.