DOD CIO Terry Halvorsen threw down the gauntlet at a Washington conference in June. The fifteen year-old Common Access Card, long the staple of physical and logical access in the military, will be phased out within two years. Now DOD agencies are searching for answers. What will replace the CAC card?
The short answer: we don’t know. Halvorsen himself admitted in a later interview that he signalled the end of the CAC card without a concrete plan for what comes next: “It’s a two-year goal and plan. Do I have all the details worked out? No.”
Logical access is one of the main drivers behind the need to replace the CAC, and Halvorsen specifically mentioned that any replacement solution would involve “true multi-factor” authentication. There are plenty of factors out there to use: biometrics, personnel information, behavioral authentication; and other pieces of the existing Public Key Infrastructure (PKI). But how will they be incorporated into existing systems?
Considering Next Steps without the CAC Card
Faced with a clear challenge, technical teams within DOD and beyond are starting to investigate their response. But with all of the technologies and solutions out there, where can they start? Which of these technologies and solutions will be a worthy investment of scarce resources? Here are some key considerations for DOD agencies grappling with what comes after the CAC card:
For most authentication platforms, “multi-factor authentication” is actually code for “two-factor authentication with the limited factors of our choosing.” More often than not, those two factors are a password and a card – in effect, the inadequate system which many in DOD use today. This limited support narrows the security aspirations of “multi-factor authentication” considerably, offering little more than the current CAC solution.
With this in mind, flexibility of factors should be at the heart of any agency’s considerations. Rather than locking themselves into one or two factors, agencies should be able to select the ones that they want, when they want. This is the heart of what Crossmatch calls “composite authentication” – the idea that users and administrators should be able to use the full range of authentication factors to meet their particular use case.
As those use cases and the threats which drive them change, solutions should provide authentication factors which evolve accordingly. Composite authentication means being able to switch from a one-time password to biometrics when particularly sensitive information requires additional protection. It means being able to layer on a continuous authentication layer, such as mouse movements or typing styles, to prevent the transfer of information after an authorized user has logged on.
Compatibility Across the Enterprise
A significant challenge for any CAC replacement system is finding a solution which works seamlessly across mobile platforms and fixed systems without compromising on security. With this in mind, a layered approach to authentication appears to be the best place to start. Rather than re-engineering existing systems, a future CAC replacement solution should work on top of them, adding a new security infrastructure to current investments in hardware and software.
On unclassified fixed systems, Microsoft’s Active Directory is the ideal mechanism to layer multi-factor authentication onto existing infrastructure. This is why the Crossmatch DigitalPersona platform works through Active Directory to maintain access controls using the full range of authentication factors. This allows system administrators to deploy the power of composite authentication in any way they want, all while providing a seamless experience for the user.
Stronger mobile device authentication will add additional factors to the phones and tablets which many agencies already use in the field. The challenge will be to do so seamlessly and securely, satisfying system administrators, end-users and those in charge of cybersecurity at the same time. The DigitalPersona platform solves this problem by integrating existing mobile device features with strong additional factors such as one-time passwords, all while offering a seamless user experience.
Compatibility of any new identity management system will be a particular challenge on classified systems, which are unable to actively communicate with unclassified PKI infrastructure. This has long been a weakness of the CAC card, and without a creative new approach it will remain an issue.
The existing alternatives – creating parallel PKI systems for each classification level, building new identity and access management systems from scratch – are unpalatable to say the least. Most authentication solutions require a connection to the Internet, which means that they would have to be customized through a long development effort if the military wanted to adapt them specifically for use on classified systems.
Crossmatch DigitalPersona handles all of these challenges in a single platform with no need to revise or replace existing systems. As a stand-alone program which does not require a connection to the internet, DigitalPersona is ideally suited for closed networks. To get around the need for a PKI infrastructure, DigitalPersona uses secure “wrappers” to emulate that same functionality without costly system alterations.
A Forward Leap
In the Federal government procurement cycle, two years is like the blink of an eye. While the challenge of replacing CAC card functionality for logical access will probably take longer, DOD agencies are already searching for alternatives to get ahead of the curve.
Crossmatch DigitalPersona is a fully mature platform which already addresses many requirements of the CAC replacement in unique and innovative ways. Through wide scale use in the commercial world, DigitalPersona has evolved beyond traditional two-factor authentication and multi-factor authentication to a composite authentication solution which meets requirements across a broad set of use cases – all of which are directly applicable in the government sector.