Tactical Information Systems
Biometric Identification Software
SERVER.png

Tactical Information Systems Blog

Identity & Technology

Replacing the Common Access Card (CAC)

Common Access Card

Common Access Card

The DoD Common Access Card (CAC) is the standard ID used by members of the US military and DoD civilians. The current program was started in 1999 when Congress directed the DoD to implement a smart-card system. At the time, this was new technology, but smart cards have become ubiquitous since then. The CAC uses a secure, encrypted chip and a PIN - basically the same technology as credit card "chip and pin" used in the EU for years and now becoming standard in the US. This is solid two-factor authentication - the card is "something you have" and the PIN is "something you know". Because of the encryption used by the digital certificates, it is essentially impossible to counterfeit a CAC card. The PIN cannot be read from the chip, it can only be verified by the chip. CACs are used to login to DoD websites and DoD computers world-wide.

Former DoD CIO stated that the CAC's days are numbered because it is "neither secure nor agile." I am not sure why he said the CAC was not secure; as far as I know there are no known vulnerabilities for smart cards. However, it is certainly not agile. The DoD was leading technology to implement a large-scale smart card identity credential, but in the intervening years this technology has become ubiquitous and commercialized; the DoD is replicating technology and infrastructure that is likely to be cheaper "off the shelf".

As a replacement for the CAC, the DoD is considering a number of technologies, and likely a suite of technologies instead of a "one size fits all" approach. For example, they are looking at behavioral biometrics (typing styles) and lower-cost USB tokens like the Yubikey. They are also considering piggy-backing on the ubiquitous cell phone. Phones are interesting because they can provide multiple factors - a token (something you have), a PIN (something you know) and biometrics (something you are), as well as alternative factors like geo-fencing (where you are). 

Using biometrics for a future CAC card does present some unique challenges, especially at DoD scale. Biometrics can be stored on the chip securely, and verified. Or they can be collected using a fingerprint reader in concert with a CAC card and matched at a server. Unfortunately, both of these solutions would require the deployment of millions of fingerprint readers which seems unlikely.

The current CAC is still a very secure identity credential, especially considering that it is almost 20 years old at this point. Deploying a new identity system for millions of people in extremely sensitive environment is going to be complex, expensive process that will likely take many years. However, it is refreshing to see that the DoD is looking at commercial technology first and not attempting to implement a single solution that has to be shoe-horned into working for everyone.