For years, the Protection Division bounced backwards and forwards between defining its major authentication credential as DoD public key infrastructure or the Widespread Entry Card, particularly in relation to the division’s unclassified networks.
Referring to the CAC as the first authenticator largely simplified credentialing, however it additionally successfully excluded various {hardware} tokens additionally able to securely storing DoD-approved PKI credentials — generally even providing stronger entry administration.
Now, the Protection Division’s latest memo on multifactor authentication for unclassified and secret networks clarifies that the division’s PKI credential — not the plastic card that shops it — is the true major verification of a person’s identification.
“I think this new memo and those conversations that helped with this new memo realized that they need to remove focus off of the hardware, the container — the card stock, in this case. That is not the thing that actually provides someone access. It’s the credential that’s stored on it,” Alex Antrim, senior options engineer at Yubico, advised Federal Information Community. “So once that clicked in those round table discussions, they removed focus from the container that holds the credential and put focus on the credential itself, regardless of what container that credential is stored on. And I think that’s very, very helpful for this space.”
The memo makes it clear that the Protection Division has no plans to maneuver away from PKI as for major credentialing anytime quickly. When PKI is out there, significantly for CAC holders, the memo says it should be used.
However the brand new coverage approves newer applied sciences, akin to FIDO2 passkeys, that may allow password-free, phishing-resistant authentication in eventualities the place normal PKI authentication shouldn’t be possible. Earlier DoD steering allowed a sort of FIDO authentication referred to as FIDO U2F, which nonetheless relied on usernames and passwords.
“Unsurprisingly, DoD did not just approve passkeys in general, so it’s not a bring-your-own-authenticator type approval. They still say a passkey with a specific technology,” stated Adam Oliver, senior options engineer at Yubico. “Vendors will still need to come in, find an organization that’s going to want to get it approved and go through the processes defined in that memo to get it onto the list. But now that door is open.”
It’s the most recent growth in longstanding debate about safe entry administration inside DoD.
“Previously, if you brought up FIDO within DoD, the reactions would be varied. You get some people that were very excited about it as a newer, modern authentication method that’s also based on cryptography. But then you’d get people that would go, ‘No, no. PKI is the gold standard, period. We would never look at anything else,’” Oliver stated. “And the memo, in those scenarios, does really define if a CAC holder gets a FIDO2 credential, how you bind that to that identity and make sure that the FIDO credential is deactivated based on certain things happening with the certificate, such as it expiring and being revoked.”
Making the non-PKI use circumstances
Antrim stated one of many highlights of the memo is a transparent record of tables outlining use circumstances, personas and particular eventualities, offering DoD organizations clearer steering on when and learn how to deploy authorized non-PKI authentication options.
“That has always been a challenge in the past where organizations were looking to innovate, and they could not get that clarity out of existing policies. [CAC] is cumbersome. It’s something I have to keep hold of. I can’t lose it. It is very challenging to get a new one,” Antrim stated. “With these alternative authenticators listed in this new memo, it gives many more options to organizations that are looking to provide easier ways for service members to get access to critical mission data.”
The memo additionally contains quite a lot of use circumstances for people who don’t maintain a CAC, together with international mission companions. In these environments, DoD has historically relied on identification federation, permitting associate nations to authenticate their very own customers and assert their identities again to DoD methods.
The brand new steering provides choices for authentication and instruction on entry administration when working with international mission companions. As one person instance, the memo describes a combatant command that “owns and runs an information system specifically intended to rapidly engage foreign mission partners in nontraditional missions such as humanitarian assistance, disaster response, or stability operations.”
It’s a theoretical situation with vital real-life implications.
“My perspective, at least from a former Navy service member, is the mission partner environment is an area that needs some innovation — and it has been handcuffed to either trying to issue Common Access Cards to foreign mission partners, which is near impossible, or using less-secure methods to hand out to foreign mission partners to get them onboarded into an environment to share critical mission data,” Antrim stated.
“If you have joint operations with other mission partners and other allies, sharing mission data is critical. If you have to waste time trying to onboard that person or that unit into your environment, the mission suffers,” he added. “With these new technologies and the use cases, there’s clear guidance that says: If you are standing up an ICAM for a mission partner environment that needs to issue tokens to foreign mission partners so they can access secret, now you have a list of approved authenticators that supports that.”
Copyright
© 2026 Federal Information Community. All rights reserved. This web site shouldn’t be meant for customers positioned throughout the European Financial Space.
