Despite several years of talk about getting rid of the Common Access Card, the CAC has continued to be the toilet paper stuck to the Department of Defense’s shoe.
In 2016, then-DoD CIO Terry Halvorsen unveiled a plan to replace the CAC in two years with a multi-pronged biometric system. By last September, however, about the time that two-year window was up, current CIO Dana Deasy admitted that, “the CAC will remain the department’s principle authenticator for the foreseeable future.”
But hopes of authenticating access to DoD buildings and systems without using the multi-factor card–which, while effective, is not always suitable to circumstances involving DoD personnel– isn’t dead. The Navy, for one, is making headway with a mobile application that lets sailors access part of their Electronic Training Jacket (ETJ) without a CAC. The service on Jan. 8 launched the MyNavy Portal MyRecord Mobile (Beta) App on Android and iOS platforms.
Although it’s a beta version with limited functionality, the Navy sees it as a significant start on taking the CAC out of the loop, beginning with human resources services such as personnel, pay, and training applications. The app, “is our first step to providing these services without using a Common Access Card,” Vice Adm. Robert Burke, chief of naval personnel, said in an announcement. “We are committed to expanding CAC-less services with the same level of security and convenience sailors expect from their personal banking services. In time, sailors will be able to conduct all personnel transactions using their mobile device.”
The MyRecord App is starting small, giving sailors read-only access to a portion of the training and personnel information in their ETJ. At this point, the primary purpose of that access is to let sailors offer feedback on its functionality, which the Navy says is essential to developing the app further. Some errors are expected early on, though the Navy expects to build on assessments of the system and steadily add new capabilities and functionality. “Sailors can expect continuous updates to the app that will offer more tools right at their fingertips and allow them and their spouse to accomplish things that used to require a trip to a Personnel Support Detachment,” Burke said. He added that personnel “can expect continuous improvement in how personnel services are delivered in the coming months.”
Sailors can download the free app–available in iOS 10, 11, and 12, and Android 6, 7, 8, and 9–from the Apple App Store, Google Play Store, or the Navy App Locker. A third-party app approved by the Navy, Okta Verify, then lets them create a multi-factor authentication account in a portal, in a process that takes less than five minutes, the Navy said.
While the Navy develops its mobile app for personnel services, the DoD has not given up on the idea of a biometric system that eventually could replace CACs across the board, though it won’t happen overnight. The Defense Information Systems Agency (DISA) a year ago awarded Qualcomm a contract to develop an “actionless authentication” system based on the company’s Snapdragon Mobile Platform.
DISA’s general idea is to use varying combinations of up to 10 or so biometric and behavioral traits–such as facial and voice recognition, retina and iris scanning, gait, speech patterns, device handling, and keystroke cadences–to create an “identity score” for authenticating authorized personnel. The Defense Advanced Research Projects Agency’s Active Authentication program also has included behavioral biometrics and behavioral traits, as has the Defense Innovation Unit in programs such as its Multifactor Authentication for Network Access (MANA).
Despite some progress toward a comprehensive biometric/behavioral authentication system–and the likelihood that artificial intelligence and machine learning could make such systems much more viable–the CAC and its civilian-agency counterpart, the Personal Identity Verification card, are going to stick around for a while. It will be part of the DoD’s next Federal Identity, Credential, and Access Management (FICAM) strategy, which is currently in the works. But the DoD says it is looking to incorporate new technologies, so the Navy’s MyRecord App might be one small step toward a CAC-less future.