Q&A with Air Force Reserve Col. Tri Trinh (ret.) and Navy Reserve Senior Chief Petty Officer Alex Antrim (ret.).
Q: What was your personal experience as a member of the military, and what made you look into non-CAC authentication alternatives?
Tri:
In 2019, I was a Colonel in the Air Force Reserve on full-time military orders working at the Pentagon under the Secretary of the Air Force Chief Data Office. I helped deploy the Air Force Connect enterprise mobile app as a Spark Tank project. AF Connect had a CAC feature that used a mobile CAC reader and physical Common Access Card (CAC) to authenticate into CAC-enabled sites. The footprint of a mobile CAC reader and CAC card sticking out of a phone and tablet got old fast.
With the YubiKey from Yubico, I was able to use the DISA Purebred Registration Application to enroll and provision my YubiKey with my CAC certificates and PIN.
I was dual-hatted as a Squadron Commander at the time with a government issued iPhone. I turned in my government iPhone and used my personal phone to access .mil email. Having to carry an extra phone for email when I already had access with a YubiKey was a burden I didn’t need, so it really made my life easier.
Alex:
As a Navy Reservist, I was not issued a government laptop or mobile device to perform military-based tasks. Reservists have to rely on their own devices when not in drilling status. This meant buying my own smart card reader – sometimes more than one – so I could use my CAC. With varying USB connections on my devices, it was hard to keep the right dongles at the ready.
When I found out that YubiKeys were approved to hold DoD-issued credentials, similar to my CAC, I jumped at the chance to put one to use. I was able to find a Purebred agent in my Navy Reserve unit that helped provision my FIPS YubiKey with Purebred credentials. I was instantly impressed with how easy the YubiKey was used to authenticate into the Navy workstations in my unit’s computer lab. When I plugged the YubiKey into the Navy desktop computer, it saw the credentials, asked for PIN, and I was logged into the workstation.
I had the same easy experience with YubiKey on my personal laptop, so I could check email and attend Teams meetings in between drill weekends. The last test was for my personal mobile phone which was successful too. I was able to shelve my smart card readers and get to work.
How has authentication changed in the armed forces, and where do you see it going in the next decade?
Alex:
The military is often slow to move on new authentication standards, so other than the shift from CAC credentials to the PIV standard (aligning with the federal government’s PKI), service members must still rely on smart cards to authenticate to devices and services. However, I can confirm people at high levels are looking closely at the most up-to-date FIDO2 standard and are working through testing. I hope and expect that soon there will be an approval document coming from the DoD CIO office. Flexibility is going to be really important to service members. A uniformed person should not have to worry about multiple CAC readers or what device is within reach. All they need to have is their provisioned YubiKey, plug it into their device, and conduct business as usual.
Tri:
The good news is that YubiKey is a multi-protocol authenticator, so it can closely follow the evolution path that DoD is on. Once DoD gives the green light on deploying FIDO2 credentials for stronger authentication, YubiKey is already FIDO2 compliant and the transition should be seamless.
How does a hardware-based authentication device like the YubiKey make service members’ lives easier?
Alex:
One important and positive difference between the YubiKey and the CAC is that no identifying and amplifying information is on the YubiKey. The CAC is instantly recognizable around the world as a form of identification for members of the U.S. Armed Services. Service members serving overseas are taught to blend in and not draw attention to themselves (for good reason). But try doing that when a DoD identification card is hanging out of a laptop or mobile phone when you’re in public at a coffee shop! If it’s a dongle, or something larger like a reader, there’s a much higher likelihood that it breaks. A low profile device like the YubiKey ends up being a huge value-add to those serving outside the continental US.
Tri:
Definitely agree. And there are a number of other reasons you might want more flexibility and speed when you’re overseas. For example, you only get one CAC – if you lose it, you’re looking at weeks of downtime while you struggle to get a new one issued. But if you have a backup YubiKey in your kit, and you’re able to authenticate with it, you’ve solved that problem. Even if you don’t have a backup handy, getting a replacement can be done same-day, plus some shipping time, as you won’t have to go through the CAC-replacement channels.
Speaking of “low profile,” are there other security concerns service members have that are avoided when you can authenticate without a reader?
Alex:
Well, as I mentioned, the port connections on different devices and laptops often require more readers than one person wants to carry while traveling or working in a non-military-base environment. Some readers have even been known to carry malware, as they are not required to have the same compliance checks as a YubiKey. So if a service member unwittingly gets a reader from some unauthorized provider, there’s a significant risk that it could be compromised and create a vulnerability.
Tri:
Right. CAC remains a very secure channel for authentication, especially when it’s used at sanctioned workstations or on base. When you’re talking about gaining access to a military installation, or proof of eligibility for healthcare and military benefits (e.g. commissary, BX/PX/NEX, billeting), then you’re still going to go with CAC. It’s not going anywhere.
But we live in a much more mobile work environment world than we did 20 years ago. So it’s worth discussing how we can augment current authentication in different contexts, especially mobile environments. How do we add value and make things easier to use for the rank-and-file servicemember who may be working at multiple sites, that’s what we’re working on improving.
What other applications would strong non-CAC authentication have, the ones we may not immediately think about?
Alex:
I think mission partners are something to consider. The military works with so many mission partners that don’t have CAC-enabled ability to authenticate securely.
DoD wants to maintain secure coalition networks for intelligence and data sharing with mission partners. Those networks often bring new authentication challenges. FIDO2 is an option to bring phishing-resistant MFA to non-CAC eligible mission partners that need to securely authenticate into a coalition network.
Tri:
There’s another benefit for those who have already served. If you’re working with a hardware-based key like a YubiKey, that can be carried with you once you are discharged from the service. So even after you no longer have a CAC, you can use a YubiKey to log on to VA services, the IRS, or other federal and state agencies that support FIDO2.