Theofanos, M.
, Garfinkel, S.
and Choong, Y.
(2016),
Secure and usable enterprise authentication: Lessons from the Field, IEEE Security & Privacy, [online], https://doi.org/10.1109/MSP.2016.96
(Accessed April 24, 2024)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Secure and usable enterprise authentication: Lessons from the Field
Published
Author(s)
, ,
Abstract
There are now more than 5.4 million Personal Identity Verification (PIV) and Common Access Card (CAC) identity cards deployed to US government employees and contractors. These cards are widely used to gain physical access to federal facilities, but their use to authenticate logical access to government information systems has been uneven. We report the reasons for the uneven deployment and then compare the results of a 26,691-person survey within the Department of Defense (DoD) and a 4,573-person survey within the Department of Commerce (DOC) to show that the use of smart-cards for 2-factor authentication results in improved usability and security when compared with 1-factor, password-only systems. We show that these benefits extend beyond the smart cards to other systems within the organizations that solely employ password authentication. We argue that PKI token-based authentication systems, such as smartcards, are likely to provide authentication that is simultaneously more secure and more usable than other 2-factor approaches, such as combining strong passwords with cell phones or with time-based hardware identity tokens.Citation
IEEE Security & Privacy
Pub Type
Journals
Download Paper
Keywords
PIV, HSDP-12, CAC, smartcard, 2-factor authentication
Citation
Created October 26, 2016, Updated November 10, 2018