Traditional authentication mechanisms, such as username/password combinations, offer only a single factor of authentication: something the user knows. Common access cards, on the other hand, provide two: something the user knows (the PIN) and something the user has (the card).
"With username and password, the adversary only needs to obtain the password in order to gain network access," said Bob Fedorchak, a principal information security engineer supporting the Army's Communications-Electronics Research, Development and Engineering Center (CERDEC), within the Space and Terrestrial Communications Directorate in the Cyber Security & Information Assurance Division. "With a CAC, an adversary must physically obtain the CAC and also obtain the PIN to the card."
Also contributing to CAC adoption are recent memos and tasking orders from the Department of Defense CIO, U.S. Cyber Command and Army Cyber Command that mandate the use of CAC and SIPR tokens — the CAC equivalent on SIPRNet — to improve security on other networks, such as tactical and research development test and evaluation networks.
But until authentication technologies and approaches improve, struggles associated with management of CACs will continue to counter the security benefit within a variety of DoD end-user environments.
Strengths and weaknesses
The CAC's physical form factor, along with policies governing its use, supply the card's greatest strength as an authentication tool, according to Fedorchak. Yet CACs can be easily lost or damaged, requiring a replacement card to be issued. CACs are also difficult to use with many types of mobile devices, including smartphones and tablets.
"These challenges can be an inconvenience to civilians, contractors and soldiers operating in the rear, but have a major impact on mission performance for soldiers at the tactical level," Fedorchak said.
Kayvan Alikhani, senior director of technology at security solutions provider RSA, noted that the challenges associated with use of CACs with mobile devices is actually a key security attribute.
"Because a CAC needs an insert-based, contact-based reader, it's not contactless," he said. "The reason why the DoD went with contact versus contactless cards was that the contact system closed the challenge of someone eavesdropping on the traffic that goes between the card and the card reader."
The CAC is also highly vulnerable to "the bathroom effect," he said, where somebody inserts the card and has to go to a conference, a meeting or the restroom, and they leave their card in the reader. "They have to remember to remove the card, yet the card is kept inserted and so it's very easy to steal it," he said.
Another serious drawback to CAC technology emerges when troops in a brigade command post need to access multiple systems simultaneously, yet have only a single CAC on hand. That doesn't meld well with systems that need to remain active and visible at all times and cannot be impacted by one soldier removing their CAC and another soldier inserting their CAC during shift change, Fedorchak said.
"CERDEC S&TCD is working to identify courses of action that can be used to improve the use of the CAC in the tactical environment and reduce the impacts to our soldiers," Fedorchak said.
Despite its drawbacks, CAC technology isn't likely to go away anytime soon, according to John Padgette, a senior manager at the cybersecurity practice of Accenture Federal Services. "Augmentation, however, is definitely needed in order to raise the level of authentication trust for the entire enterprise, as well as improve usability for mobile clients," he said.
Looking for answers
Driven by the lack of CAC support on mobile platforms and other issues, several federal agencies/services are piloting the use of derived credentials — carried in a mobile device instead of the card — to generate authentication, Padgette said. NIST SP 800-157 provides guidelines on using credentials derived from a user's PIV card or CAC. "Per their name, these derived credentials are tied to the user's PIV/CAC, therefore this approach augments the CAC but does not replace it," Padgette said.
Authentication needs to be more comprehensive in order to provide better protection against increasingly sophisticated threats, said Peter Romness, cybersecurity programs lead for Cisco Systems' U.S. public sector group. "It needs to be more than just who a person is," he said. "We need to know who the user is, where they are connecting from, when the connection is being made and how the user is trying to connect — wired, wireless, internet or VPN."
Tracking such characteristics can help analysts identify potential anomalies in user behavior, Romness added, which could signal a potential threat. And the capability to report who, what, where, when and how is already available in most network devices using features of the 802.1x standard as well as other features, such as secure group tags. Many organizations, including groups in DoD, are starting to use this technology.
Alikhani noted that technologies that promise to make the CAC even stronger in the years ahead are beginning to become available. "There is group level work in terms of ultimately making it so that you can have, for example, a fingerprint reader or a fingerprint sensor on the CAC card, along with the ability to do matching and verification on the CAC card as well," he said.
Fedorchak said other technologies may eventually emerge to challenge the CAC's dominance. "There are ongoing efforts to evaluate other form factors, such as virtual tokens, mobile devices, flexible tokens and wearable form factors, such as ID bracelets, as alternatives for user authentication," he said. "CERDEC S&TCD is performing the research and development to address these issues and to help shape how authentication will be performed in the future."