2
2
0
I was recently in a discussion regarding logging in to government computers. Personally I think the DOD should abandon the Smart Card schema for logging in to .mil domain. It's cumbersome, has significant PII loss risk, and can be expensive. Biometric scanners (fingerprint) can be purchased now for about the same cost as CAC readers and in my opinion are more secure. What does the community here think about this?
Cybersecurity
CAC
Physical Security
Posted 10 y ago
Responses: 10
4
4
0
Finger print scanners are extremely unsecure. Watch the myth busters episode. It's ridiculously easy to bypass.
(4)
(0)
In my opinion, smartphone enabled two factor authentication is better than either biometric scanners or CAC readers.
Biometric scanners can be manipulated, and don't always even work, which leads to a frustrating user experience. CAC readers have their own problems (namely that 99% of computers in the world don't have a CAC reader and the proper software configured). However, you can use two-factor authentication through your personal smartphone. After entering your regular password on a web site, you get a text message on your phone with a 6 digit code which is good for like 10 minutes, and good only once. You type that code in, and you're set. You therefore need to know both your password and have physical possession of your personal cell phone to log on, which is essentially what CAC accomplishes, minus all the headaches. If a cell phone is lost or stolen (just like a CAC card could be), then that cell phone can be cancelled from the network. And just like a CAC card, the cell phone is actually worthless just by itself, since you still need the user's actual web site password to get in.
Two factor authentication is already available on sites like Facebook, Google, and Dropbox. I would guess that the government might move to it eventually (though it may be 10+ years). Integrating people's personal cell phones into the mix is probably a bit too unorthodox for the government to seriously consider it for now.
If you use Google, you can enable this and also tell it to only check it when you are on new computer. Here are the steps:
https://www.google.com/landing/2step/
Biometric scanners can be manipulated, and don't always even work, which leads to a frustrating user experience. CAC readers have their own problems (namely that 99% of computers in the world don't have a CAC reader and the proper software configured). However, you can use two-factor authentication through your personal smartphone. After entering your regular password on a web site, you get a text message on your phone with a 6 digit code which is good for like 10 minutes, and good only once. You type that code in, and you're set. You therefore need to know both your password and have physical possession of your personal cell phone to log on, which is essentially what CAC accomplishes, minus all the headaches. If a cell phone is lost or stolen (just like a CAC card could be), then that cell phone can be cancelled from the network. And just like a CAC card, the cell phone is actually worthless just by itself, since you still need the user's actual web site password to get in.
Two factor authentication is already available on sites like Facebook, Google, and Dropbox. I would guess that the government might move to it eventually (though it may be 10+ years). Integrating people's personal cell phones into the mix is probably a bit too unorthodox for the government to seriously consider it for now.
If you use Google, you can enable this and also tell it to only check it when you are on new computer. Here are the steps:
https://www.google.com/landing/2step/
With 2-Step Verification, you’ll protect your account with both your password and your phone
(2)
(0)
SSG Jeffrey Spencer
CAC is not all that user friendly. The chip can be scanned easily. The antenna embedded in the card always breaks. It's more frustrating than necessary.
(1)
(0)
MSgt (Join to see)
The problem with this is that it doesn't do anything for folks who work in facilities that prohibit personal electronics.
(0)
(0)
LTC Yinon Weiss
Sure, but if you work in a place that prohibits personal electronics, you can probably use a CAC to log in a properly configured system. The 2-factor method I listed above would allow for security and convenience of logging in from home, which is where most people have problems.
(1)
(0)
CW4 (Join to see)
Yinon this would be a great fix for users logging in from home. It is a difficult process to get your personal computer configured properly for CAC enabled login. Also most personal laptops don't have internal CAC readers which causes soldiers to purchase their own or bring one home on the governments dime.
(0)
(0)
1
1
0
I think the problem with biometrics, if we decide to go that route would be the enrollment time, privacy issues and errors. For example if a person that works with their hands a lot and the skin becomes damaged, the possibly of a false rejection would be high. I also don't think that we would have the manpower to maintain the proper Crossover Error Rate(CER). If you start moving to retina, iris or voice print I just know that there will be some privacy issues. In my opinion the best was to use this technology is the defense in depth strategy.
(1)
(0)
Read This Next
Continue with Facebook 
Continue with Google